This will explain how to generate and install SSL certificates on your Synology NAS to get rid of the pesky SSL certificate errors. I’ll be explaining specifically how to generate and install from StartSSL, who gives out free SSL certificates.
First, you will need to own or control a domain name, and have a subdomain set up and CNAME pointed to your Synology NAS’s IP address. You can find a walkthrough on how to set that up by reading this article: Synology DiskStation on a subdomain with dynamic IP address.
Once that’s set up, head over to StartSSL and follow the steps outlined below to validate a domain name and generate an SSL certificate.
Validate a domain name
Select the Validations Wizard and choose type Domain Name Validation
Enter the domain name you wish to validate, and continue. You are validating only the base domain name.
Select an email address to which the validation code will be mailed to, and then continue.
Enter the validation code you received via email, and continue.
Generating your SSL certificate
After verifying your domain ownership, you can now generate the SSL certificate.
Select Certificates Wizard and choose Web Server SSL/TLS certificate, as in the image below.
Generate a private key by inputting a password of at least 10 characters, choosing your key length, and selecting SHA1.
On the next screen, you will be given your generated, encrypted, private key with instructions to save it to a file called ssl.key, and what to do with it. For now, just create a new text file on your desktop, call it “encrypted_ssl_key” (or whatever), and hang on to it for later. I’ll explain what to do with it in a few more steps.
Next, you’ll be prompted to add a verified domain to your SSL cert. Choose the previously validated base domain.
Next, you’ll be prompted to enter a subdomain to add to the certificate. This is where you enter your NAS’s subdomain. For example, if your root domain is example.com, and your NAS is accessible via myds.example.com, enter myds.
The ready processing certificate screen will show next, and should include both your base domain name and the subdomain, like this following image.
The following screen will appear, and prompt you to save the certificate, as well as the intermediate certificates, which you will need for the Synology NAS. Save the certificate in a file called ssl.crt as instructed. Hold on to both it, and the two downloaded intermediate certificates for the following steps.
Decrypt the private key
One more step before we install the certs onto the NAS box. Head over to the StartSSL toolbox and click on Decrypt Private Key.
In the top box, paste the saved encrypted private key that you generated and named ”encrypted_ssl_key” (or whatever). In the Passphrase box, enter the 10-character-or-so password that you set on it, and click decrypt. Save the decrypted key to a file called ssl.key.
Installing the SSL certs
Now we’re ready to install the SSL certs onto the Synology NAS. Log in as admin and head to Control Panel > Web Services. Click the HTTP Service tab and click Import Certificate.
For each of the following select the corresponding files
Private Key: Your decrypted ssl.key file
Certificate: Your ssl.crt file
Intermediate certificate: The sub.class1.server.ca.pem intermediate certificate you downloaded.
(If you forgot to download the intermediate certificates, you can get them again by following this link.)
Click ok, and you should see Restarting Web Server, like so
Assuming all went well, you should be able to go to the subdomain and see a good SSL certificate lock icon, like so in Chrome
Questions, comments, or otherwise, please feel free to share them in the comments below. Thank you!
27 comments
Skip to comment form ↓
Somebody
November 17, 2012 at 6:55 pm (UTC -5) Link to this comment
Hi, I currently use https://example.dyndns.org:5002 to access my Synology NAS externally.
Would it be possible to generate a certificate at startssl for the domain example.dyndns.org and use that and the keys on the NAS?
Thanks
Mike
November 17, 2012 at 8:25 pm (UTC -5) Link to this comment
No, as you don’t control the dyndns domain and cannot receive a validation email.
Somebody
November 20, 2012 at 4:57 pm (UTC -5) Link to this comment
Hi, could you please do a wiki to renew the certificates, which last for only a year? Thanks
Mike
November 20, 2012 at 7:21 pm (UTC -5) Link to this comment
I’m sure the process is similar enough, but I’ll consider it.
Markus
November 23, 2012 at 3:22 am (UTC -5) Link to this comment
Will this work on every Synology NAS? I own a Synology DS413j and would like to test it.
Mike
November 23, 2012 at 12:38 pm (UTC -5) Link to this comment
This should work on every Synology NAS, as they all run the DSM operating system.
Stepan
November 28, 2012 at 2:08 am (UTC -5) Link to this comment
Great guide, thank you very much!
Stepan
November 28, 2012 at 2:10 am (UTC -5) Link to this comment
Great guide, thank you!
Julien
November 30, 2012 at 2:56 pm (UTC -5) Link to this comment
Hi,
Thanks for this article, i have been doing all this and it´s working on chrome too for me.
I still have one question : internet explorer and chrome seems to be fine with this but not mozilla. Is it normal or have i done something wrong ? Startssl did not provide me any intermediate cetifcate, don’t know exactly how to get it now.
Mike
November 30, 2012 at 3:29 pm (UTC -5) Link to this comment
You can download the intermediate certificates again by following this link:
https://www.startssl.com/?app=21
There are several issues with Firefox, and you may want to review the StartSSL FAQ located here:
https://www.startssl.com/?app=25
andrew
January 21, 2013 at 12:15 pm (UTC -5) Link to this comment
this was awesome, thanks!
L
January 22, 2013 at 3:47 pm (UTC -5) Link to this comment
hi, is it also possible without owning a subdomain? e.g. I own example.com, added CNAME with the dyndns adress created within the diskstation and want to generate the SSL cert on the top-Level Domain
Mike
January 22, 2013 at 6:47 pm (UTC -5) Link to this comment
From the sound of it, you’re looking for a Class 2 SSL certificate.
AJ
February 1, 2013 at 12:32 pm (UTC -5) Link to this comment
Hello
I tried following the instructions, but when I try installing the certificates I get an “Illegal Certificate” error in DSM. Any advice on what to try?
Mike
February 1, 2013 at 12:37 pm (UTC -5) Link to this comment
You’re getting the error when you import the certificate to the DSM?
Are you running at least DSM 4.1 and importing the certificate and decrypted keyfile?
AJ
February 1, 2013 at 1:51 pm (UTC -5) Link to this comment
Yes, that’s correct. When I import the files, it thinks for a few seconds then a popup shows saying the certificates are illegal. I have my own domain registered with which I used to make the certificates at StartSSL. I tried importing both the decrypted and encrypted file to see if it made a difference, but sadly no.
Should I just generate brand new certificates or is there a way to check that they ones are OK?
Mike
February 1, 2013 at 1:57 pm (UTC -5) Link to this comment
Hmm… I would try generating new certificates and see what happens.
AJ
February 1, 2013 at 2:01 pm (UTC -5) Link to this comment
The only thing that is slightly different is the redirect that is setup at my dns registrar. For some reason I could not get http://www.example.com to redirect to https://example.synology.me using CNAME, so I instead used a URL redirect.
Mike
February 1, 2013 at 2:04 pm (UTC -5) Link to this comment
A CNAME isn’t a “redirect”, it’s more of an alias, so it won’t do any browser redirection.
I would take it that you’re creating the certificates against your ‘www.example.com’ domain? That’s going to cause an issue if the user’s browser is redirected to ‘example.synology.me’, as the destination URL and the URL inside the cert are never going to match.
Subah
February 6, 2013 at 3:29 pm (UTC -5) Link to this comment
My problem is with copying the keys and the crt :(
i don`t know why i copy the private key and then i try to Decrypt Private Key but i always get this message:
Error Decrypting Key
An error occured decrypting your private key. Verify the data and try it again
i am thinking the problem is my way to copy and paste and save the key !!
what just i do is copy and open the notepad and save it ?
but i do not know how to save it with ascii :(
so i think everything not work now with me :(
sander
February 8, 2013 at 10:11 am (UTC -5) Link to this comment
Hi Mike,
Thanks for the accurate and clear explanation. I found and tried several other people’s procedures, without success. Yours works like a charm!
Should be included in Synology’s help database!
Thanks again,
sander
the netherlands
Matthew
February 18, 2013 at 3:17 pm (UTC -5) Link to this comment
Thanks again for these two guides! They’re a great help for someone just starting with all of this, like me.
I have one question though. I’ve done basically exactly as you have. example.dynamicdns.org points to my router. Then I bought a domain example.com and created a subdomain- sub.example.com with a CNAME record that points back to example.dynamicdns.org. Then I obtained a cert for example.com and included sub.example.com.
What I’m wanting to know is can I make it point to the DSM login page instead of looking for webstation? Currently, I have to add the router port to the end of the URL.
Mike
February 18, 2013 at 3:19 pm (UTC -5) Link to this comment
It would probably be easiest if your router could do the port forwarding. Forward public port 80 to private port 5000/5001/7000/7001 for whatever suits your needs.
Marcel
February 21, 2013 at 2:10 am (UTC -5) Link to this comment
Hi,
I followed your guide.. But it is not working for me.
I installed my NAS, forwarded the ports 80, 5000, 5001 to the internal IP address of my NAS. Everything is working fine. I registered a domainname example.nl. I setup the DNS and test the domainname without the https connection. Everything works fine.
I installed the certificate and set the option to auto redirect to https connection on my NAS. If I connect with the internal IP address I can connect to my NAS but get a SSL error (thats fine). But if i type in my domainname http://www.example.nl I see the NAS redirected to https://www.example.nl:5001 but get a error in my browser “The webpage is not available”.
Anybody a idea what I’m doing wrong?
Thanks.
Hoss
April 9, 2013 at 3:43 pm (UTC -5) Link to this comment
Thank you!!!
Wim
April 17, 2013 at 5:00 am (UTC -5) Link to this comment
Although Mike’s guide looks quite clear to me it finally did not show me a happy end. I have two questions.
Before I start (in Windows7) with StartSSL do I have to install Apache Web Server and load the mod_ssl module to produce a proper certificate and key? If yes, where can I find more about the installing procedure.
In Windows as wel as in Chrome I have the following strange experience. Starting in tab Cerificates Wizard – Certifcate Target (Web Server SSL/TLS Certificate) – Gererate Private Key – Save Private Key: I can copy the (blue) content of the textbox, but when I go to a newly created file in Explorer the paste-button keeps in-active (grey). This copy/paste-failure only happens in the StartSSL-configuration.
Drag and paste doesn’t work either. Trying to find a solution I have already 3 “valid server certificates” in my SSL/TLS Server-section.
When my problem will be solved I want to get rid of two of the valid server certificates. Is that possible/neccesairy or can I just choose 1 of them.
Anyone who can show me some light in these mater(s)??
Thanks anyway,
Wim/The Hague/Holland
Mike
April 18, 2013 at 8:25 pm (UTC -5) Link to this comment
If you’re using a StartSSL certificate for your Synology NAS, there’s no reason to have to install anything in Windows. Perhaps you’re doing something wrong.
(Edit: thank you for posting your question as a comment!)