Advertisements

StartSSL SSL Certificate on Synology NAS using subdomain

This will explain how to generate and install SSL certificates on your Synology NAS to get rid of the pesky SSL certificate errors. I’ll be explaining specifically how to generate and install from StartSSL, who gives out free SSL certificates.

First, you will need to own or control a domain name, and have a subdomain set up and CNAME pointed to your Synology NAS’s IP address. You can find a walkthrough on how to set that up by reading this article. If you are having trouble with certificate domain mismatches, make sure you have read this article first: Synology DiskStation on a subdomain with dynamic IP address.

Once that’s set up, head over to StartSSL and follow the steps outlined below to validate a domain name and generate an SSL certificate.

Validate a domain name

Select the Validations Wizard and choose type Domain Name Validation

select_domain_validation

Enter the domain name you wish to validate, and continue. You are validating only the base domain name.

domain-name-validation

Select an email address to which the validation code will be mailed to, and then continue.

select-verification-email

Enter the validation code you received via email, and continue.

complete-validation-code

Generating your SSL certificate

After verifying your domain ownership, you can now generate the SSL certificate.

Select Certificates Wizard and choose Web Server SSL/TLS certificate, as in the image below.

web-server-ssl-cert

Generate a private key by inputting a password of at least 10 characters, choosing your key length, and selecting SHA1.

On the next screen, you will be given your generated, encrypted, private key with instructions to save it to a file called ssl.key, and what to do with it. For now, just create a new text file on your desktop, call it “encrypted_ssl_key” (or whatever), and hang on to it for later. I’ll explain what to do with it in a few more steps.

save-private-key

Next, you’ll be prompted to add a verified domain to your SSL cert. Choose the previously validated base domain.

add-domains

Next, you’ll be prompted to enter a subdomain to add to the certificate. This is where you enter your NAS’s subdomain. For example, if your root domain is example.com, and your NAS is accessible via myds.example.com, enter myds.

The ready processing certificate screen will show next, and should include both your base domain name and the subdomain, like this following image.

ready-processing

The following screen will appear, and prompt you to save the certificate, as well as the intermediate certificates, which you will need for the Synology NAS. Save the certificate in a file called ssl.crt as instructed. Hold on to both it, and the two downloaded intermediate certificates for the following steps.

save-cert

Decrypt the private key

One more step before we install the certs onto the NAS box. Head over to the StartSSL toolbox and click on Decrypt Private Key.

decrypt-private-key

In the top box, paste the saved encrypted private key that you generated and named “encrypted_ssl_key” (or whatever). In the Passphrase box, enter the 10-character-or-so password that you set on it, and click decrypt. Save the decrypted key to a file called ssl.key.

Installing the SSL certs

Now we’re ready to install the SSL certs onto the Synology NAS. Log in as admin and head to Control Panel > Web Services. Click the HTTP Service tab and click Import Certificate.

For each of the following select the corresponding files

Private Key: Your decrypted ssl.key file

Certificate: Your ssl.crt file

Intermediate certificate: The sub.class1.server.ca.pem intermediate certificate you downloaded.

(If you forgot to download the intermediate certificates, you can get them again by following this link.)

Click ok, and you should see Restarting Web Server, like so

syno-import-cert

Assuming all went well, you should be able to go to the subdomain and see a good SSL certificate lock icon, like so in Chrome

identity-verified

Questions, comments, or otherwise, please feel free to share them in the comments below. Thank you!

Advertisements

, , , ,