Setup SSL on Synology NAS: Difference between revisions

From Littledamien Wiki
Jump to navigation Jump to search
Tag: wikieditor
Tag: wikieditor
Line 81: Line 81:
* [https://www.bounca.org/tutorials/install_root_certificate.html Guide to add self-generated root certificate authorities for 8 operating systems and browsers] - BounCA
* [https://www.bounca.org/tutorials/install_root_certificate.html Guide to add self-generated root certificate authorities for 8 operating systems and browsers] - BounCA
* [https://community.synology.com/enu/forum/17/post/115841 <nowiki>[</nowiki>SOLVED<nowiki>]</nowiki> Correctly installing self-signed cert on home network] - Synology community forums
* [https://community.synology.com/enu/forum/17/post/115841 <nowiki>[</nowiki>SOLVED<nowiki>]</nowiki> Correctly installing self-signed cert on home network] - Synology community forums
[[SSL]][[Synology]]
[[Category:SSL]][[Category:Synology]]

Revision as of 19:10, 12 January 2023

Create a self-signed SSL and root CA to sign the SSL

Prerequisites

  • Diskstation must have a fixed IP address on your LAN.
  • Ability to add or assign certificates to devices you want to approve your SSL.

Create certificate on DiskStation

  • DSM > Control Panel > Security > Certificate
  • Click Add to start the process
  • Choose Create self-signed certficate
  • First create a Certificate Authority (CA) that will sign the site SSL

Create Root Certificate

  • Private key length: 2048
  • Common name: MyCA (Any name will do, but this name is how the certificate will be identified in Mac OS's Keychain Access (see below))
  • Email: myemail@domain.com
  • Location: [US] United States of America
  • State/Province: [state name]
  • City: [city name]
  • Organization: myOrg (Any name will do)
  • Department: (Again, any name)
  • Click Next

Create Certificate

  • Private key length: 2048
  • Common name: [DiskStation static IP]
  • Email: myemail@domain.com
  • Location: [US] United States of America
  • State/Province: [state name]
  • City: [city name]
  • Organization: myOrg (Any name will do)
  • Department: (Again, any name)
  • Subject Alternative Name: [Diskstation static IP plus any aliases, separated by semicolons]
  • Click Apply

Make the new certificate the default.

  • DSM > Control Panel > Security > Certificate
  • Select the new certificate in the list.
  • Click Configure
  • Select the certificate for System Default and any other relevant services.
  • Click Ok.
  • The web service will restart.

Trust the certificate authority locally

Mac OS

Export the certificate.

  • DSM > Control Panel > Security > Certificate
  • Select the certificate in the list.
  • Action > Export certificate
  • Save the zip file locally and expand it.

Add certificate issuer to keychain as a trusted certificate authority.

  • Double click on the certificate (syno-ca-cert.pem) to open the Mac OS Keychain Access app.
  • Add Certificate dialog will open automatically the first time the host is added.
    • Set Keychain to "system".
    • Click Add.
    • Enter password into admin credentials prompt.
  • Keychain Access app > System Keychains group > System
  • Look for the host under Name and double click that line.
    • Expand the Trust group.
    • When using this certificate: Always trust
    • Close the dialog.
    • Enter password into admin credentials prompt.

Connecting to DiskStation via SSL

  • Use https, of course.
  • Use port 5001 and not port 5000 (http).

Reference

Retrieved from "https://wiki.dbarchowsky.com/index.php?title=Setup_SSL_on_Synology_NAS&oldid=3422"