Installing an SSL / TLS certificate on NAS Synology
These instructions will show you a simple procedure on how to install an SSL/TLS certificate on your Synology NAS, or to any NAS or network storage. You will use the certificate for both administration security, communication with the NAS, and data transfer to the NAS and its web services.
General procedure to enable and install an SSL certificate on a NAS
You need two keys for the SSL certificate to work - private and public. You need to create the private key before requesting the certificate (CSR); the public key will then be received by the certification authority in your CSR and inserted into the future SSL certificate.
The main difficulty for NAS and network devices is creating a CSR. Not every device has a wizard to create a CSR and therefore it expects the already completed SSL certificate and private key to be imported.
CSRs can be created in various ways and in the next paragraph, you will find the simplest ones.
Creating a private key and CSR
You can create a certificate request in different ways; I always recommend creating a private key and CSR on an NAS or locally; under no circumstances use web services that generate a private key and CSR. If you did, you could never be sure that no one else would have your private key.
Creating a private key and CSR in OpenSSL
If you have a computer or server with Linux or another Unix system on hand, there will be OpenSSL in the system. With its help, you can create a private key and CSR in two steps. The advantage is clear data entry, during which you have everything under control. The output is in our base Base64 format with PEM extension.
Creating a private key in Windows
It is also possible to generate private keys and CSR requests in the Windows operating system, but the system works with their binary formats, which SANs generally do not understand. However, the binary format of the keys can be converted to a text format in OpenSSL. You can find the instructions in the article Basics of working with OpenSSL - export, import, format conversions.
Creating a private key directly in the NAS
Lastly, here is the most suitable procedure from the security point of view: creating a private key and CSR directly in the NAS. If your NAS does not have a modern operating system that allows you to create a CSR in the wizard (see next section), you can generate a private key and a CSR on the server using OpenSSL.
The procedure is the same as in the paragraph above, the only difference is in the connection to the NAS. You do not connect to the NAS via the web interface, but via SSH or telnet. These protocols should be supported by a good NAS. OpenSSL is also available on Synology NAS.
For SSH on Windows, I recommend the PuTTY, with which you will connect to an NAS with SSH access enabled.
You generate the private key with the commandopenssl genrsa -nodes -out server.key 2048
You generate the CSR from the new private key with the command
openssl req -new -key server.key -out server.csr
OpenSSL will ask you for the CSR request details. It is necessary to fill in at least the Common Name, which is the domain you will use for the NAS (e.g. synology.john.com), and Country (e.g. US). You will then insert the created CSR request into the SSLmarket administration.
Certificate installation in an older version of DSM
Older DSM versions should allow the key and certificate to be imported to the NAS, although they may not create a CSR request wizard.
If this dialog is not present on the NAS, a more advanced user can find the default private key and existing NAS certificate and overwrite these files with the new certificate. The new certificate should work after the reboot. The NAS certificate will probably be in the /usr/syno/etc/ssl folder or on /usr/local/ssl/server.
NAS Synology with DSM 7.0
DSM stands for NAS Synology operating system, i.e. the graphical interface in which we manage the NAS and through which you control it on the browser.
Installing an SSL Certificate on Synology
In the current version of DSM 7.0, it is now possible to create a CSR using the wizard. After completing the wizard and generating the CSR, the request is downloaded onto your computer along with the private key. Enter the CSR request into the SSLmarket administration and it will be used to issue the certificate; upload the private key when importing it to the NAS and it will be used together with the certificate.
I recommend backing up the private key in a safe place, but even losing it is not a problem - we will issue the certificate to you again free of charge.
Connecting to NAS
Log in to the NAS first, and then find the Settings (Control Panel) menu and in there, find Security.
Generating CSR in the wizard
If you do not have a CSR request created in advance, you can do so in the wizard, which can be found under Control panel > Security > Certificate > Settings > Advanced > Create certificate signing request (CSR). Here you can create a certificate request (CSR), enter well-known data, select a bit depth of 2048 and generate the request.
Once generated, the request will be downloaded to your computer along with the private key in the ZIP archive. You can back up the private key and then import it together with the SSL certificate from SSLmarket.
SSL certificate and private key import
If you already have an SSL certificate, you can very easily import it. This option is under Security > Certificate -> Add -> Add a new certificate -> Import certificate.
After clicking on import, you insert the 3 individual parts of the certificate. You already have a private key (according to the procedure above), the certificate was sent to you in a text file by SSLmarket.com and you will find the "Intermediate certificate" in the same message as the new certificate. The term Intermediate Certificate refers to Synology Intermediate Certificate, which is required for the certificate to be trusted.
Intermediate certificate (trust certificate) and trustworthiness
If you do not import it, there will be problems with the unknown certificate issuer (especially on mobile phones) and the SSL certificate will not be trusted.
Completion and restart of the NAS
After entering the TLS certificate, the NAS web part will restart and after the restart the new certificate will be used.
We are sorry that you did not find the required information here.
Please help us to improve this article. Write us what you have expected and not found out.