Synology DiskStation and using a custom SSL certificate

The original post can be found here. For archiving purposes and quick access I have copied this to my blog.

Prepare your Synology DiskStation

openssl synology

  • At first you should generate a temporary work folder. For example /usr/local/ssl/ and cd to this location.

The generation of SSL-certificates is always in two steps. At first you have to generate a certificate authority key. Then you generate a server certificate out of the certificate authority key. The server certificate will be used when starting the webserver. The certificate authority key has to be installed on the client pc.

Generation of the certificate authority key

  1. During the key generation you have to enter a passphrase which you need later to generate the certificates. Generate the key ca.key with the following command (openssl is pre-installed on your synology):
    openssl genrsa -des3 -out ca.key 1024
  2. Generation of the key certificate:
    openssl req -new -key ca.key -out ca.csr
  3. Generation of the final certificate authority key (valid 10 years):
    openssl x509 -days 3650 -signkey ca.key -in ca.csr -req -out ca.crt

Generation of the server-certificate

    1. Generation of the key:
      openssl genrsa -out server.key 1024
    2. |Generation of the key certificate – most important is the Common Name. It is important that it matches your DNS-Name. Example: You can also use wildcards like *
      openssl req -new -key server.key -out server.csr
    3. Generation of the server certificate:
      openssl x509 -days 3650 -CA ca.crt -CAkey ca.key -set_serial 01 -in server.csr -req -out server.crt

Installing the files

      1. Change into the Synology certificate folder:
        cd /usr/syno/etc/ssl
      2. Make a backup folder for the old files:
        mkdir bak
      3. Copy the old files into the backup folder:
        cp -r ssl.crt bak
        cp -r ssl.csr bak
        cp -r ssl.key bak
      4. Move the new files to the certificate folder:
        mv /usr/local/ssl/ca.crt ssl.crt
        mv /usr/local/ssl/server.crt ssl.crt
        mv /usr/local/ssl/ca.csr ssl.csr
        mv /usr/local/ssl/server.csr ssl.csr
        mv /usr/local/ssl/ca.key ssl.key
        mv /usr/local/ssl/server.key ssl.key
      5. The ca.crt has to be installed on the client workstations. For this we copy the file into the folder public.
        cp /usr/syno/etc/ssl/ssl.crt/ca.crt /volume1/public
      6. Restart your Synology Station

Installation of the certificate on the client workstation

Finally the certificate has to installed on the client workstations as a trusted certificate authority. Copy the file ca.crt to the client pc. Install it within windows explorer with rightclick -> install certificate.

Restoring certificates

In case something goes wrong, Synology has supplied an easy way to, not restore, but create a set of new and working certificates. This should restore the certificates if importing certificates from the web manager has failed. If you need a telnet or ssh client use PuTTY.

      • Login as root, using the admin users password, to the Synology NAS drive using telnet or ssh and type the following in the command prompt:
        cd /usr/syno/etc/ssl/
      • Allow the script to finish, and type reboot in the prompt.
      • In a while the NAS drive should have rebooted, and everything should be fine again.

Leave a Reply

Your email address will not be published. Required fields are marked *