Installing a SSL certificate on Synology NAS

The purpose of this article is to describe the SSL installation process on Synology NAS server and point out the possible issues with it.

Pre-requisites

Before you install an SSL certificate on your Synology NAS, you need to generate a Certificate Signing Request (CSR code) and activate the certificate.

Also, the following settings should be done on the server end.

  • You need to own a domain name which can be assigned to your Synology DDNS service*, since the SSL certificates offered on our website can only be issued for a FQDN (fully qualified domain name).
    * the DDNS service is offered for free for Synology users here.
  • Set up your DDNS service before you go to the next step.
  • Then, a CNAME DNS forwarder from the domain or subdomain (yourdomain.com) to the DDNS service (such as name.synology.me) should be added:

    • Log in to your cPanel;
    • Find the Domains box and click on Advanced DNS Zone Editor;

      install_synology_01

    • Under Add a Record, fill in each box with your own information. There should be a domain name in the Name field and the Synology NAS hostname in the CNAME field. Then click on Add Record;

      install_synology_02

    • Please make sure Port Forwarding has been configured on your router.

SSL installation


Note
: The instructions are written for DSM5.0 and higher. Only models from 2009 and earlier cannot update to the latest DSM, so for models manufactured in the past 5 years an update to the latest DSM is recommended.

Once the certificate is issued, you will receive an email from the Certificate Authority containing the SSL certificate files. Now you are ready to import the trusted certificate to your Synology server using the steps below.

  1. Navigate to Synology > Control Panel > Security > Certificate and click on Import Certificate.

    install_synology_03

  2. Browse and import the following files for each field:

    Private Key - server.key.
    Certificate - domain_com.crt (received from the CA .zip file in email).
    Intermediate certificate - CA Bundle (.ca-bundle) file from the fulfillment email.

    Note: The certificate files can also be downloaded in your Namecheap account.
    Note: In this guide we are using PositiveSSL certificate as an example, the installation will be the same for other SSL types with different CA Bundles.

    PositiveSSL RSA Bundle contains:
    Sectigo RSA Domain Validation Secure Server CA [ Intermediate ]
    USERTrust RSA Certification Authority [ Cross Signed ]

    PositiveSSL ECC Bundle contains:
    Sectigo ECC Domain Validation Secure Server CA [ Intermediate ]
    USERTrust ECC Certification Authority [ Cross Signed ]

  3. Once the files are browsed, click OK.

    install_synology_04

  4. Note: Please use the decrypted Private key file, there may be issues during the process if you use the Encrypted one. Presumably, these issues may occur with the outdated versions of Synology server, this is why Synology highly recommends the latest version to be used. By the time the article was written, it was DiskStation Manager 5.1 (DSM 5.1).

    Invalid cipher type error

    There are a few more possible issues during the installation process, and one of them is Invalid cipher type error.

    The error may pop up if the Private key file does not have in header (has -----BEGIN PRIVATE KEY and -----END PRIVATE KEY----- instead of -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----).

    Solution: Modify the file in text editor.

    Illegal certificate error

    The Illegal certificate error may appear when importing the certificate. The reason is typically that the .zip archive is opened in a text editor without unzipping, and there's a text left before -----BEGIN CERTIFICATE----- header in there.

    Solution: Unzip the archive and open certificate files one by one with a text editor.

  5. Synology web server will now restart which should only take a few seconds. Then the Control Panel Certificate page will look like this:

    install_synology_05

    Once the certificate is installed, all should be clear.

    Common name mismatch error

    Please ensure that a CNAME record was created for the domain and not just a URL redirect from name.synology.me, so the common name of the certificate does not match the domain in the URL. Otherwise, you may get Common name mismatch error in browser if you try to connect to your Synology via https://.

    Solution: Create a CNAME for the domain.

    Now that the certificate is installed, simply try to access your NAS using your domain/subdomain (e.g. https://yourdomain.com ) - no warnings and a padlock icon in the address bar proves that the connection is now secured by a trusted SSL. You can also test the SSL installation via this online tool.

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close