Setup SSL on Synology NAS: Difference between revisions

Create a self-signed SSL and root CA to sign the SSL[edit]

Prerequisites[edit]

• Diskstation must have a fixed IP address on your LAN.
• Ability to add or assign certificates to devices you want to approve your SSL.

Create certificate on DiskStation[edit]

• DSM > Control Panel > Security > Certificate
• Click Add to start the process
• Choose Create self-signed certficate
• First create a Certificate Authority (CA) that will sign the site SSL

Create Root Certificate

• Private key length: 2048
• Common name: MyCA (Any name will do, but this name is how the certificate will be identified in Mac OS's Keychain Access (see below))
• Email: myemail@domain.com
• Location: [US] United States of America
• State/Province: [state name]
• City: [city name]
• Organization: myOrg (Any name will do)
• Department: (Again, any name)
• Click Next

Create Certificate

• Private key length: 2048
• Common name: [DiskStation static IP]
• Email: myemail@domain.com
• Location: [US] United States of America
• State/Province: [state name]
• City: [city name]
• Organization: myOrg (Any name will do)
• Department: (Again, any name)
• Subject Alternative Name: [Diskstation static IP plus any aliases, separated by semicolons]
• Click Apply

Make the new certificate the default.

• DSM > Control Panel > Security > Certificate
• Select the new certificate in the list.
• Click Configure
• Select the certificate for System Default and any other relevant services.
• Click Ok.
• The web service will restart.

Renew existing certificate[edit]

• DSM > Control Panel > Security > Certificate
• Select the new certificate in the list.
• Click Renew
  • Confirm the settings and renew.

Updating the certificate on remote machines[edit]

• DSM > Control Panel > Security > Certificate
• Select the expired certificate in the list.
• Action > Export certificate
• It will prompt to save a zip file. The default name is archive.zip. Consider changing this to something more meaningful, e.g. [NAS-HOST-NAME]-[YEAR].zip
• On the remote machine's file system, double click the archive to extract it.
• On the remote machine (Mac OS), open Keychain Access.
  • Find the expired certificate and delete it. This will require entering an admin password.
  • Go into the folder where the exported certificate was saved.
    • Double click cert.pem.
    • On Mac OS, this will cause the certificate to be imported into the Keychain Access app.
  • In Keychain Access double click the new certificate.
    • Expand the Trust group.
    • When using this certificate: Always trust
    • Enter admin password when prompted.
    • Close the dialog.
• In Chrome enter: https://[NAS-IP-ADDRESS]:5001
• Log in to the DSM.
• Once logged in using the IP address, Chrome will accept the NAS's host name, i.e. https://[NAS-HOSTNAME]:5001

Trust the certificate authority locally[edit]

Mac OS[edit]

Export the certificate.

• DSM > Control Panel > Security > Certificate
• Select the certificate in the list.
• Action > Export certificate
• Save the zip file locally and expand it.

Add certificate issuer to keychain as a trusted certificate authority.

• Double click on the certificate (cert.pem) to open the Mac OS Keychain Access app.
• Add Certificate dialog will open automatically the first time the host is added.
  • Set Keychain to "system".
  • Click Add.
  • Enter password into admin credentials prompt.
• Keychain Access app > System Keychains group > System
• Look for the host under Name and double click that line.
  • Expand the Trust group.
  • When using this certificate: Always trust
  • Close the dialog.
  • Enter password into admin credentials prompt.

Connecting to DiskStation via SSL[edit]

• Use https, of course.
• Use port 5001 and not port 5000 (http).

Reference[edit]

• How to Setup SSL on a Synology NAS - John Galea
• Guide to add self-generated root certificate authorities for 8 operating systems and browsers - BounCA
• [SOLVED] Correctly installing self-signed cert on home network - Synology community forums