StartSSL SSL Certificate on Synology NAS using subdomain

This will explain how to generate and install SSL certificates on your Synology NAS to get rid of the pesky SSL certificate errors. I’ll be explaining specifically how to generate and install from StartSSL, who gives out free SSL certificates.

First, you will need to own or control a domain name, and have a subdomain set up and CNAME pointed to your Synology NAS’s IP address. You can find a walkthrough on how to set that up by reading this article. If you are having trouble with certificate domain mismatches, make sure you have read this article first: Synology DiskStation on a subdomain with dynamic IP address.

Once that’s set up, head over to StartSSL and follow the steps outlined below to validate a domain name and generate an SSL certificate.

Validate a domain name

Select the Validations Wizard and choose type Domain Name Validation


Enter the domain name you wish to validate, and continue. You are validating only the base domain name.


Select an email address to which the validation code will be mailed to, and then continue.


Enter the validation code you received via email, and continue.


Generating your SSL certificate

After verifying your domain ownership, you can now generate the SSL certificate.

Select Certificates Wizard and choose Web Server SSL/TLS certificate, as in the image below.


Generate a private key by inputting a password of at least 10 characters, choosing your key length, and selecting SHA1.

On the next screen, you will be given your generated, encrypted, private key with instructions to save it to a file called ssl.key, and what to do with it. For now, just create a new text file on your desktop, call it “encrypted_ssl_key” (or whatever), and hang on to it for later. I’ll explain what to do with it in a few more steps.


Next, you’ll be prompted to add a verified domain to your SSL cert. Choose the previously validated base domain.


Next, you’ll be prompted to enter a subdomain to add to the certificate. This is where you enter your NAS’s subdomain. For example, if your root domain is, and your NAS is accessible via, enter myds.

The ready processing certificate screen will show next, and should include both your base domain name and the subdomain, like this following image.


The following screen will appear, and prompt you to save the certificate, as well as the intermediate certificates, which you will need for the Synology NAS. Save the certificate in a file called ssl.crt as instructed. Hold on to both it, and the two downloaded intermediate certificates for the following steps.


Decrypt the private key

One more step before we install the certs onto the NAS box. Head over to the StartSSL toolbox and click on Decrypt Private Key.


In the top box, paste the saved encrypted private key that you generated and named “encrypted_ssl_key” (or whatever). In the Passphrase box, enter the 10-character-or-so password that you set on it, and click decrypt. Save the decrypted key to a file called ssl.key.

Installing the SSL certs

Now we’re ready to install the SSL certs onto the Synology NAS. Log in as admin and head to Control Panel > Web Services. Click the HTTP Service tab and click Import Certificate.

For each of the following select the corresponding files

Private Key: Your decrypted ssl.key file

Certificate: Your ssl.crt file

Intermediate certificate: The intermediate certificate you downloaded.

(If you forgot to download the intermediate certificates, you can get them again by following this link.)

Click ok, and you should see Restarting Web Server, like so


Assuming all went well, you should be able to go to the subdomain and see a good SSL certificate lock icon, like so in Chrome


Questions, comments, or otherwise, please feel free to share them in the comments below. Thank you!


, , , ,

  1. #1 by Somebody on November 17, 2012 - 6:55 pm

    Hi, I currently use to access my Synology NAS externally.

    Would it be possible to generate a certificate at startssl for the domain and use that and the keys on the NAS?


    • #2 by Mike on November 17, 2012 - 8:25 pm

      No, as you don’t control the dyndns domain and cannot receive a validation email.

  2. #3 by Somebody on November 20, 2012 - 4:57 pm

    Hi, could you please do a wiki to renew the certificates, which last for only a year? Thanks

    • #4 by Mike on November 20, 2012 - 7:21 pm

      I’m sure the process is similar enough, but I’ll consider it.

  3. #5 by Markus on November 23, 2012 - 3:22 am

    Will this work on every Synology NAS? I own a Synology DS413j and would like to test it.

    • #6 by Mike on November 23, 2012 - 12:38 pm

      This should work on every Synology NAS, as they all run the DSM operating system.

  4. #7 by Stepan on November 28, 2012 - 2:08 am

    Great guide, thank you very much!

  5. #8 by Stepan on November 28, 2012 - 2:10 am

    Great guide, thank you!

  6. #9 by Julien on November 30, 2012 - 2:56 pm


    Thanks for this article, i have been doing all this and it´s working on chrome too for me.

    I still have one question : internet explorer and chrome seems to be fine with this but not mozilla. Is it normal or have i done something wrong ? Startssl did not provide me any intermediate cetifcate, don’t know exactly how to get it now.

  7. #11 by andrew on January 21, 2013 - 12:15 pm

    this was awesome, thanks!

  8. #12 by L on January 22, 2013 - 3:47 pm

    hi, is it also possible without owning a subdomain? e.g. I own, added CNAME with the dyndns adress created within the diskstation and want to generate the SSL cert on the top-Level Domain

    • #13 by Mike on January 22, 2013 - 6:47 pm

      From the sound of it, you’re looking for a Class 2 SSL certificate.

  9. #14 by AJ on February 1, 2013 - 12:32 pm

    I tried following the instructions, but when I try installing the certificates I get an “Illegal Certificate” error in DSM. Any advice on what to try?

    • #15 by Mike on February 1, 2013 - 12:37 pm

      You’re getting the error when you import the certificate to the DSM?

      Are you running at least DSM 4.1 and importing the certificate and decrypted keyfile?

      • #16 by AJ on February 1, 2013 - 1:51 pm

        Yes, that’s correct. When I import the files, it thinks for a few seconds then a popup shows saying the certificates are illegal. I have my own domain registered with which I used to make the certificates at StartSSL. I tried importing both the decrypted and encrypted file to see if it made a difference, but sadly no.

        Should I just generate brand new certificates or is there a way to check that they ones are OK?

        • #17 by Mike on February 1, 2013 - 1:57 pm

          Hmm… I would try generating new certificates and see what happens.

          • #18 by AJ on February 1, 2013 - 2:01 pm

            The only thing that is slightly different is the redirect that is setup at my dns registrar. For some reason I could not get to redirect to using CNAME, so I instead used a URL redirect.

          • #19 by Mike on February 1, 2013 - 2:04 pm

            A CNAME isn’t a “redirect”, it’s more of an alias, so it won’t do any browser redirection.

            I would take it that you’re creating the certificates against your ‘’ domain? That’s going to cause an issue if the user’s browser is redirected to ‘’, as the destination URL and the URL inside the cert are never going to match.

  10. #20 by Subah on February 6, 2013 - 3:29 pm

    My problem is with copying the keys and the crt :(
    i don`t know why i copy the private key and then i try to Decrypt Private Key but i always get this message:
    Error Decrypting Key
    An error occured decrypting your private key. Verify the data and try it again
    i am thinking the problem is my way to copy and paste and save the key !!
    what just i do is copy and open the notepad and save it ?
    but i do not know how to save it with ascii :(
    so i think everything not work now with me :(

  11. #21 by sander on February 8, 2013 - 10:11 am

    Hi Mike,
    Thanks for the accurate and clear explanation. I found and tried several other people’s procedures, without success. Yours works like a charm!
    Should be included in Synology’s help database!
    Thanks again,
    the netherlands

  12. #22 by Matthew on February 18, 2013 - 3:17 pm

    Thanks again for these two guides! They’re a great help for someone just starting with all of this, like me.

    I have one question though. I’ve done basically exactly as you have. points to my router. Then I bought a domain and created a subdomain- with a CNAME record that points back to Then I obtained a cert for and included

    What I’m wanting to know is can I make it point to the DSM login page instead of looking for webstation? Currently, I have to add the router port to the end of the URL.

    • #23 by Mike on February 18, 2013 - 3:19 pm

      It would probably be easiest if your router could do the port forwarding. Forward public port 80 to private port 5000/5001/7000/7001 for whatever suits your needs.

  13. #24 by Marcel on February 21, 2013 - 2:10 am


    I followed your guide.. But it is not working for me.

    I installed my NAS, forwarded the ports 80, 5000, 5001 to the internal IP address of my NAS. Everything is working fine. I registered a domainname I setup the DNS and test the domainname without the https connection. Everything works fine.

    I installed the certificate and set the option to auto redirect to https connection on my NAS. If I connect with the internal IP address I can connect to my NAS but get a SSL error (thats fine). But if i type in my domainname I see the NAS redirected to but get a error in my browser “The webpage is not available”.

    Anybody a idea what I’m doing wrong?


  14. #25 by Hoss on April 9, 2013 - 3:43 pm

    Thank you!!!

  15. #26 by Wim on April 17, 2013 - 5:00 am

    Although Mike’s guide looks quite clear to me it finally did not show me a happy end. I have two questions.

    Before I start (in Windows7) with StartSSL do I have to install Apache Web Server and load the mod_ssl module to produce a proper certificate and key? If yes, where can I find more about the installing procedure.

    In Windows as wel as in Chrome I have the following strange experience. Starting in tab Cerificates Wizard – Certifcate Target (Web Server SSL/TLS Certificate) – Gererate Private Key – Save Private Key: I can copy the (blue) content of the textbox, but when I go to a newly created file in Explorer the paste-button keeps in-active (grey). This copy/paste-failure only happens in the StartSSL-configuration.
    Drag and paste doesn’t work either. Trying to find a solution I have already 3 “valid server certificates” in my SSL/TLS Server-section.
    When my problem will be solved I want to get rid of two of the valid server certificates. Is that possible/neccesairy or can I just choose 1 of them.

    Anyone who can show me some light in these mater(s)??

    Thanks anyway,
    Wim/The Hague/Holland

    • #27 by Mike on April 18, 2013 - 8:25 pm

      If you’re using a StartSSL certificate for your Synology NAS, there’s no reason to have to install anything in Windows. Perhaps you’re doing something wrong.

      (Edit: thank you for posting your question as a comment!)

  16. #28 by Michael on July 27, 2013 - 7:26 pm

    Your instruction is excellent. But I have three questions.
    My webadress is without any subdomain. How should the process of certificate creation be altered for this particular case?
    DSM4.2 allows the export of installed certifactes and keys. This produces four files: ca.crt, ca.key, server.crt, server.key. In your instruction are three files imported. Please can you explain this difference?
    Do you have an instruction for the renewal process after one year?

    • #29 by Mike on July 27, 2013 - 7:32 pm

      Your instruction is excellent. But I have three questions.
      My webadress is without any subdomain. How should the process of certificate creation be altered for this particular case?

      You need to either use a subdomain or
      use a Class-2 (wild card) SSL certificate.

      DSM4.2 allows the export of installed certifactes and keys. This produces four files: ca.crt, ca.key, server.crt, server.key. In your instruction are three files imported. Please can you explain this difference?

      Only import the required files.

      Do you have an instruction for the renewal process after one year?

      Simply import the new certificates.

  17. #30 by Noel on November 13, 2013 - 6:54 am

    I try to install a certificate (StartSSL) for my Synology DS412. I followed your instructions for domain and subdomain, and connected them with DynDNS hostname. It works. My question (probably a newbie’one …) is : when you write for Validate a Domain Name (on StartSSL site) :

    Select an email address to which the validation code will be mailed to, and then continue.
    o Webmaster@…
    Generating your SSL certificate
    After verifying your domain ownership, you can now generate the SSL certificate.

    Where and how can I read the mail ? I have any else e-mail addresses than these my Internet access provider provides … ?
    Thank you.

    • #31 by admin on November 14, 2013 - 5:22 pm

      You need to make sure that whatever address you’re selecting is deliverable. If you don’t have email service on your domain, you’ll need to set that up beforehand.

      • #32 by METAILLIER on November 19, 2013 - 7:18 am

        Thank you a lot for your instructions and answer. Things finish to go ok. I assume 2 possible issues before : 1/time for propagation of personnal informations is very long (one full week); 2/In DynDNS contact, by default, the firts name is not registered (there is a dash instead of). So after to have unsuccessfully tested for 8 days, but also just after to have added firstname, StarSSL Validation Wizard showed my regular mail address in the list. Then all go as expected. Thank you again.

  18. #33 by Lorenzo on January 4, 2014 - 7:14 am

    thanks for the great guide!
    What if I want to run the E-Mail Server and access it through Secure IMAP SSL/TLS and SMTP-SSL?
    Do I need additional certificates for those?

  19. #34 by Robert on January 21, 2014 - 11:40 am

    Mike, thank you for posting these instructions. I followed them step by step and was able to get everything working!! I would have never been able to do this without your guide.

    Best regards,