Setup SSL on Synology NAS

From Littledamien Wiki
Jump to navigation Jump to search

Create a self-signed SSL and root CA to sign the SSL

Prerequisites

  • Diskstation must have a fixed IP address on your LAN.
  • Ability to add or assign certificates to devices you want to approve your SSL.

Create certificate on DiskStation

  • DSM > Control Panel > Security > Certificate
  • Click Add to start the process
  • Choose Create self-signed certficate
  • First create a Certificate Authority (CA) that will sign the site SSL

Create Root Certificate

  • Private key length: 2048
  • Common name: MyCA (Any name will do, but this name is how the certificate will be identified in Mac OS's Keychain Access (see below))
  • Email: myemail@domain.com
  • Location: [US] United States of America
  • State/Province: [state name]
  • City: [city name]
  • Organization: myOrg (Any name will do)
  • Department: (Again, any name)
  • Click Next

Create Certificate

  • Private key length: 2048
  • Common name: [DiskStation static IP]
  • Email: myemail@domain.com
  • Location: [US] United States of America
  • State/Province: [state name]
  • City: [city name]
  • Organization: myOrg (Any name will do)
  • Department: (Again, any name)
  • Subject Alternative Name: [Diskstation static IP plus any aliases, separated by semicolons]
  • Click Apply

Make the new certificate the default.

  • DSM > Control Panel > Security > Certificate
  • Select the new certificate in the list.
  • Click Configure
  • Select the certificate for System Default and any other relevant services.
  • Click Ok.
  • The web service will restart.

Renew existing certificate

  • DSM > Control Panel > Security > Certificate
  • Select the new certificate in the list.
  • Click Renew
    • Confirm the settings and renew.

Updating the certificate on remote machines

  • DSM > Control Panel > Security > Certificate
  • Select the new certificate in the list.
  • Action > Export certificate
  • It will prompt to save a zip file. The default name is archive.zip. Consider changing this to something more meaningful, e.g. [NAS-HOST-NAME]-[YEAR].zip
  • On the remote machine's file system, double click the archive to extract it.
  • On the remote machine (Mac OS), open Keychain Access.
    • Find the expired certificate and delete it. This will require entering an admin password.
    • Go into the folder where the exported certificate was saved.
      • Double click cert.pem.
      • On Mac OS, this will cause the certificate to be imported into the Keychain Access app.
    • In Keychain Access double click the new certificate.
      • Expand the Trust group.
      • When using this certificate: Always trust
      • Enter admin password when prompted.
      • Close the dialog.
  • In Chrome enter: https://[NAS-IP-ADDRESS]:5001
  • Log in to the DSM.
  • Once logged in using the IP address, Chrome will accept the NAS's host name, i.e. https://[NAS-HOSTNAME]:5001

Trust the certificate authority locally

Mac OS

Export the certificate.

  • DSM > Control Panel > Security > Certificate
  • Select the certificate in the list.
  • Action > Export certificate
  • Save the zip file locally and expand it.

Add certificate issuer to keychain as a trusted certificate authority.

  • Double click on the certificate (syno-ca-cert.pem) to open the Mac OS Keychain Access app.
  • Add Certificate dialog will open automatically the first time the host is added.
    • Set Keychain to "system".
    • Click Add.
    • Enter password into admin credentials prompt.
  • Keychain Access app > System Keychains group > System
  • Look for the host under Name and double click that line.
    • Expand the Trust group.
    • When using this certificate: Always trust
    • Close the dialog.
    • Enter password into admin credentials prompt.

Connecting to DiskStation via SSL

  • Use https, of course.
  • Use port 5001 and not port 5000 (http).

Reference

Retrieved from "https://wiki.dbarchowsky.com/index.php?title=Setup_SSL_on_Synology_NAS&oldid=3491"