Page 1 of 1

Installing SSL certificates on a Synology NAS

Posted: Wed Jun 29, 2022 11:08 am
by steven
Synology has an easy method to install certificates. I have found this method easier to use and certificates are not affected by upgrades, as can happen if you place them in the wrong place during a manual installation. Note these instructions apply to certificates you purchase from a third party vendor. If you are renewing a self-signed certificate, simply right click the certificate a click to renew.

To install a new certificate you must create a CSR (certificate signing request). The request will contain your domain name, location, an encrypted key matching your encrypted server key and other site information required to obtain a SSL certificate.

Log in to you NAS and select control panel, then select Security.
 
Image
 
At the top, select the Certificate tab.
 
Image
 
On this screen select Settings.
 
Image
 
When the popup screen appears select Advanced and then select Ok.
 
Image
 
Click the Create certificate signing request (CSR) button.
 
Image
 
On this screen populate the information required to create the CSR.
 
Image
 
 
Private key length - 2048 (generates 256bit encryption keys)

Common name - This must match the reqistered domain name.
For example if your domain name is www.example.com, and you use example.com the site will not be secure and you will get a warning when visiting the site. The domain name and common name must match exactly.
Some certificates support both www and non www domains. Verify this with your SSL vendor before creating the CSR.

Email - This is the email address that is registered to the domain.

State/Province - This is the location used for the mailing address.

City - This is the city name used for the mailing address.

Organization - The name of your company. If you do not have a company you can use a name like the domain minus the extension.

Department - This is a department within your company. If you do not have a company department you can use marketing, sales, research etc.

After populating these fields click next.
 
Image
 
Select download to save your CSR.
 
Image
 
The saved file is named archive.zip and contains two files.

The first file is server.csr which contains the code for the certificate signing request. The contents of this file is pasted into the certificate vendors web page form or sent to the certificate vendor you have chosen.

The second file is server.key and contains a unique key for your server. DO NOT send this file to the certificate vendor or anyone else.

Depending on the type of certificate you purchased, it can take a few minutes or sometimes longer to email your certificate. You may be required to respond to an email or a more detailed method to verify site ownership. Your domain must be registered before a third party certificate is issued.

Once you receive the new SSL certificate, you must create three files. The first is the server certificate which we will name cert.pem. Your SSL vendor may or may not include information defining each section. If they included that information, follow their directions.
Using Notepad++ or another text editor, open the certificate file you received from the SSL vendor. The file will contain at least two sections. The first section is the server certificate. Make sure you include the beginning and ending line statements.

-----BEGIN CERTIFICATE-----
MIIFtTCCBJ2gAwIBAgIQCbEbUkRr7SvIw/b/bHgUJjANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRSYXBpZFNTTCBSU0EgQ0EgMjAxODAe
Fw0xOTAzMDUwMDAwMDBaFw0yMDA2MDMxMjAwMDBaMBYxFDASBgNVBAMTC3NrZGF2
aXMubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1g8ETRI2uybl
wJA8Bcspf31HslcaN4NeBx7WKWLOE/x9eic04yUoQLjLWVOQNTWjX8FQ+HSceDKS
Pq4r++fg/Gv1uXQi5/dqGx020UTI94NFECedTf+dunnBzT5nxweUfELqdddkbPo6
pzYblzUcC1GYTOrzByMpgAgN0cLr68PxGjOGvJDL6hdFIUdVFbzm94WUie5pirFY
TP6whjBajuniySGaDSRcteAAWuy0PHwnVy2BzOYj+70pteDC2EriuewN6g8N1xP1
JCy/EfcFWUkCl4Y/zYqwl6bkaLEvDIgJ/vKMxezzjkIcS7uhDIiASFi73IkXcnUV
M7HzlB8YBwIDAQABo4ICtTCCArEwHwYDVR0jBBgwFoAUU8oXWfxrwAMhLxqu5Kqo
HIJW2nUwHQYDVR0OBBYEFEsR09Ks6kKCADfNkT6AfJxMSM+4MCcGA1UdEQQgMB6C
C3NrZGF2aXMubmV0gg93d3cuc2tkYXZpcy5uZXQwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA+BgNVHR8ENzA1MDOgMaAvhi1o
dHRwOi8vY2RwLnJhcGlkc3NsLmNvbS9SYXBpZFNTTFJTQUNBMjAxOC5jcmwwTAYD
VR0gBEUwQzA3BglghkgBhv1sAQIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cu
ZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgEwdQYIKwYBBQUHAQEEaTBnMCYGCCsG
AQUFBzABhhpodHRwOi8vc3RhdHVzLnJhcGlkc3NsLmNvbTA9BggrBgEFBQcwAoYx
aHR0cDovL2NhY2VydHMucmFwaWRzc2wuY29tL1JhcGlkU1NMUlNBQ0EyMDE4LmNy
dDAJBgNVHRMEAjAAMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcA7ku9t3XOYLrh
Qmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFpTo/2wwAABAMASDBGAiEAnOyltYc1
3jQOkDRlUuPR0FzFvbHzJHclOvGdpgcTOC8CIQCOhw7alN7U6Z6XUZlQFH6z83tl
7QhDomKgVNurPT6/MwB2AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMP
AAABaU6P980AAAQDAEcwRQIhAKYdzl46NPEy8TqPjC62S/zAxMgdsWvWa4Vm+ePW
t46LAiAXae+qGtp/rUahb+UYeuvYp1g6zWaYU5L4EzOQAYkqDDANBgkqhkiG9w0B
AQsFAAOCAQEAVPcnFXXi2wnojQ5Qca/buG0MYQTlzcvJyIV6Wl/ijv0EzfMVae0s
tIrFOHrvxRaYVGD2VDNx9li+Y32FDelKC7Elz2yMjSkczIIL+RaVRsBvvDkffBMq
vSPYw5N6B/BNpltA9cJNUvYv1UW4HSmVN1X7sLFl+0hX4qcZ5uHOm9GQO4Hj0KRP
tRdxifmozTajXMfAeBxUIgKEuqJ+fw2GIyNTatExVArReVLXEKtBIXGu7GAnYnOO
yKkS7PziuH9fNevl0ZvgQ2EJ2fJh2tpz/Q==
-----END CERTIFICATE-----


Copy ALL information in this first section and paste it into the text editor. Then save the file as cert.pem.

The next section is the intermediate certificate. Depending on how the certificate is issued, the intermediate or CA chain may have additional sections. If the vendor's SSL certificate file has more than two sections the second section is the intermediate certificate and the third section is usually the CA root certificate. Online articles have different opinions about installing the root certificate. Some recommend installing the root certificate. However it is not necessary if you are using a trusted CA vendor. To learn more about certificates, KEYFACTOR provides some good general information. To learn specific information about TLS (Transport Layer Security), please refer to the TLS Standard.

To install the intermediate certificate copy the second section to the text editor including the beginning and ending line statements. Then save the file as chain.pem.

The example below shows the file content to install the intermediate certificate.

-----BEGIN CERTIFICATE-----
MIIFCTCCA/GgAwIBAgIUKovf56gGbRis1wiRs49luaW2zVkwDQYJKoZIhvcNAQEL
BQAwgaQxCzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1Bh
bmFtYSBDaXR5MSQwIgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4x
JzAlBgNVBAsMHlRydXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UE
AwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMTAeFw0yMDAzMDUyMTM5NDJaFw0yOTEy
MzAyMzU5NTlaMFUxCzAJBgNVBAYTAlBBMSQwIgYDVQQKDBtUcnVzdENvciBTeXN0
ZW1zIFMuIGRlIFIuTC4xIDAeBgNVBAMMF1RydXN0Q29yIERWIFNTTCBDQSAtIEcy
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4+0aFtH0MDAbePMJkMSs
TZt5ylgaiDcpcWJZZ9+63SEcJU+4uxQ7T21eppaxKMORlPfptBmrrTVEFKiqHSpu
EvrzYYGiiwIu4VYnbOeADDvXKjVjRR+zyxabA23sMDzFB5SJmTjs9nKq15J/KJBm
EonWBNFsp9uOMym+t+Y6Rrh/mashRirINkam/AiDdidizvoqEsWxJUWOeX/hQo8V
KliK/TVReDhtIvDao3oRr6mEfEAmD8/Q2pMMGza+77F83uK8nW5ALpH97tvfKDpA
AQEFAAOCAQ8AMIIBCgKCAQEA5S2oihEo9nnpezoziDtx4WWLLCll/e0t1EYemE5n
+MgP5viaHLy+VpHP+ndX5D18INIuuAV8wFq26KF5U0WNIZiQp6mLtIWjUeWDPA28
OeyhTlj9TLk2beytbtFU6ypbpWUltmvY5V8ngspC7nFRNCjpfnDED2kRyJzO8yoK
MFz4J4JE8N7NA1uJwUEFMUvHLs0scLoPZkKcewIRm1RV2AxmFQxJkdf7YN9Pckki
f2Xgm3b48BZn0zf0qXsSeGu84ua9gwzjzI7tbTBjayTpT+/XpWuBVv6fvarI6bik
KB859OSGQuw73XXgeuFwEPHTIRoUtkzu3/EQ+LtwznkkdQIDAQABo4IBZjCCAWIw
HQYDVR0OBBYEFFPKF1n8a8ADIS8aruSqqByCVtp1MB8GA1UdIwQYMBaAFAPeUDVW
0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQo
MCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8E
OzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9i
YWxSb290Q0EuY3JsMGMGA1UdIARcMFowNwYJYIZIAYb9bAECMCowKAYIKwYBBQUH
AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCwYJYIZIAYb9bAEBMAgG
-----END CERTIFICATE-----


A CA root certificate is not required unless you are using a custom certificate that may not be listed in the certificate trust store. In this case you will need to install the CA root certificate to allow users to connect securely. If your SSL certificate requires including the CA root certificate, copy both the second and third sections to the text editor including the beginning and ending line statements. Then save the file as chain.pem.

The example below shows the file contents to install both the intermediate and CA root certificates.

-----BEGIN CERTIFICATE-----
MIIFCTCCA/GgAwIBAgIUKovf56gGbRis1wiRs49luaW2zVkwDQYJKoZIhvcNAQEL
BQAwgaQxCzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1Bh
bmFtYSBDaXR5MSQwIgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4x
JzAlBgNVBAsMHlRydXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UE
AwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMTAeFw0yMDAzMDUyMTM5NDJaFw0yOTEy
MzAyMzU5NTlaMFUxCzAJBgNVBAYTAlBBMSQwIgYDVQQKDBtUcnVzdENvciBTeXN0
ZW1zIFMuIGRlIFIuTC4xIDAeBgNVBAMMF1RydXN0Q29yIERWIFNTTCBDQSAtIEcy
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4+0aFtH0MDAbePMJkMSs
TZt5ylgaiDcpcWJZZ9+63SEcJU+4uxQ7T21eppaxKMORlPfptBmrrTVEFKiqHSpu
EvrzYYGiiwIu4VYnbOeADDvXKjVjRR+zyxabA23sMDzFB5SJmTjs9nKq15J/KJBm
EonWBNFsp9uOMym+t+Y6Rrh/mashRirINkam/AiDdidizvoqEsWxJUWOeX/hQo8V
KliK/TVReDhtIvDao3oRr6mEfEAmD8/Q2pMMGza+77F83uK8nW5ALpH97tvfKDpA
AQEFAAOCAQ8AMIIBCgKCAQEA5S2oihEo9nnpezoziDtx4WWLLCll/e0t1EYemE5n
+MgP5viaHLy+VpHP+ndX5D18INIuuAV8wFq26KF5U0WNIZiQp6mLtIWjUeWDPA28
OeyhTlj9TLk2beytbtFU6ypbpWUltmvY5V8ngspC7nFRNCjpfnDED2kRyJzO8yoK
MFz4J4JE8N7NA1uJwUEFMUvHLs0scLoPZkKcewIRm1RV2AxmFQxJkdf7YN9Pckki
f2Xgm3b48BZn0zf0qXsSeGu84ua9gwzjzI7tbTBjayTpT+/XpWuBVv6fvarI6bik
KB859OSGQuw73XXgeuFwEPHTIRoUtkzu3/EQ+LtwznkkdQIDAQABo4IBZjCCAWIw
HQYDVR0OBBYEFFPKF1n8a8ADIS8aruSqqByCVtp1MB8GA1UdIwQYMBaAFAPeUDVW
0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQo
MCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8E
OzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9i
YWxSb290Q0EuY3JsMGMGA1UdIARcMFowNwYJYIZIAYb9bAECMCowKAYIKwYBBQUH
AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCwYJYIZIAYb9bAEBMAgG
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQCKWiRs1LXIyD1wK0u6tTSTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNzExMDYxMjIzMzNaFw0yNzExMDYxMjIzMzNaMF4xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xHTAbBgNVBAMTFFJhcGlkU1NMIFJTQSBDQSAyMDE4MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA5S2oihEo9nnpezoziDtx4WWLLCll/e0t1EYemE5n
+MgP5viaHLy+VpHP+ndX5D18INIuuAV8wFq26KF5U0WNIZiQp6mLtIWjUeWDPA28
OeyhTlj9TLk2beytbtFU6ypbpWUltmvY5V8ngspC7nFRNCjpfnDED2kRyJzO8yoK
MFz4J4JE8N7NA1uJwUEFMUvHLs0scLoPZkKcewIRm1RV2AxmFQxJkdf7YN9Pckki
f2Xgm3b48BZn0zf0qXsSeGu84ua9gwzjzI7tbTBjayTpT+/XpWuBVv6fvarI6bik
KB859OSGQuw73XXgeuFwEPHTIRoUtkzu3/EQ+LtwznkkdQIDAQABo4IBZjCCAWIw
HQYDVR0OBBYEFFPKF1n8a8ADIS8aruSqqByCVtp1MB8GA1UdIwQYMBaAFAPeUDVW
0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQo
MCYwJAYIKwYBBQUHMBHHRGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8E
OzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9i
YWxSb290Q0EuY3JsMGMGA1UdIARcMFowNwYJYIZIAYb9bAECMCowKAYIKwYBBQUH
AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCwYJYIZIAYb9bAEBMAgG
BmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcNAQELBQADggEBAH4jx/LKNW5ZklFc
YWs8Ejbm0nyzKeZC2KOVYR7P8gevKyslWm4Xo4BSzKr235FsJ4aFt6yAiv1eY0tZ
/ZN18bOGSGStoEc/JE4ocIzr8P5Mg11kRYHbmgYnr1Rxeki5mSeb39DGxTpJD4kG
hs5lXNoo4conUiiJwKaqH7vh2baryd8pMISag83JUqyVGc2tWPpO0329/CWq2kry
qv66OSMjwulUz0dXf4OHQasR7CNfIr+4KScc6ABlQ5RDF86PGeE6kdwSQkFiB/cQ
ysNyq0jEDQTkfa2pjmuWtMCNbBnhFXBYejfubIhaUbEv2FOQB3dCav+FPg5eEveX
TVyMnGo=
-----END CERTIFICATE-----


Last open the server.key file created when you generated the CSR. Copy and rename this file to privkey.pem. Once these files are created move them, along with the original CSR file, into a secure folder on a local drive and make sure you add a text info file so you know the domain they are for along with the creation date. If you add multiple certificates, this will help identify the certificate should you need to replace it.

Install the certificate files on your NAS as follows:
Open the control panel and select security and then select certificate.
Select Add.

 
Image
 

If you are not replacing an existing certificate, select Add new certificate. This creates a new certificate in addition to any existing certificates you may have.

 
Image
 

If you are replacing an existing certificate select Replace an exiting certificate. This will transfer configuration settings for the existing certificate to the new certificate. DO NOT forget to select the certificate you want to replace because the certificate shown in the box will be replaced. If you select the wrong certificate there is no UNDO and you will have to reinstall the certificate that was overwritten.
Select Next.

 
Image
 

Here you add a description and have the option to make the SSL certificate the default. The default certificate is assigned to new web service portals.
Since you already created the necessary files click Next to start importing the new certificate.

 
Image
 

Select next and the import certificate window appears.

 
Image
 

On the Private key line select Browse. This opens your file explorer so you can locate and select the privkey.pem file you saved earlier.

On the Certificate line select Browse. Locate and select the cert.pem file you saved earlier.

On the Intermediate certificate line select Browse. Locate and select the chain.pem file you saved earlier.

 
Image
 

Once all fields are populated select OK.

After few seconds, if you performed all operations correctly, the certificate will install. If it does not install and you get an error, check the cause of the error and if necessary, recreate the three PEM files making sure you are using the correct code for each file. If the error is the intermediate certificate and there are two sections, they may need to be reversed. (I did not have to reverse them when I installed certificates)

Once the certificate is installed you can go to settings and configure the new certificate. If you replaced a certificate you do not need to do anything as it will show the certificate attached to that domain.

 
Image
 

Last you can verify the certificate is installed correctly using an online checker like Qualys SSL Checker, which gives the best information.
You can also use SSL Certificate Checker or Ionos SSL checker.
If the root certificate is not installed and the CA is trusted, SSL Certificate Checker will not display an error but indicates the root certificate is missing. This occurs because SSL Certificate Checker does check the trust store.
If the root certificate is not installed and the CA is trusted Ionos SSL checker displays the certificate was installed correctly. However, if the root certificate is installed and the CA authority is trusted, Ionos will display a warning: "For best practices, remove the self-signed root from the server."

Remember it is the user's browser that accepts or rejects the SSL certificate so make sure you obtain your certificate from a trusted CA authority.