Synology SSL Certificate Setup
Synology SSL Certificate Setup

Synology SSL Certificate Setup for GoDaddy

Synology remote access requires a key component called a SSL certificate for securing your data.  Webpage warnings can be avoided by adding the domain as a security exception, allowing you to access DSM normally. However, to verify the identity of the Synology NAS and ensure the connection is truly secure, you will need to a third-party certificate from a trusted certificate authority.   The less secure alternative is a self signing cert.  Below is instructions for a third-party certificate authority such as GoDaddy.

Looking for a DDNS certificate?

How do I obtain a certificate from Let’s Encrypt on my Synology NAS? – Synology Knowledge Center

Before You Begin

Make sure you go into GoDaddy, register a domain name, and setup a A record that points to the Synology Diskstation WAN IP address.Synology Small Business IT Support

Synology SSL Certificate Setup for GoDaddy

 

 

 

To obtain a third-party certificate for your Synology NAS, please make sure you have a registered domain name. You must also pay any expenses required by the certificate authority.

Pro Synology IT Support Tip!

  • The preliminary information here is for GoDaddy FQDN setup.  Already done all this and waiting for an email?  Note:  A CSR must be generated through DSM for GoDaddy to send that email.

    • FQDN and CSR generated through DSM??  Go to the section for “Waiting for an email”
    • Scroll down to GoDaddy Specifics for importing the CSR file that you received from the Synology.
    • Scroll down “Synology SSL Certificate Setup for GoDaddy Summary” after you have received the certificate files from GoDaddy

Additional Resources:  Accessing a Synology remotely so you can work from home

Certificate Setup:

  • Note the import cert is as below.  They are the .key and gd issued crt, and you need the gd1 intermediate bundle.
  • On the Import Certificate screen, click browse and import the following files.
    Private Key: Select the server.key file that you saved on your computer earlier
    Certificate: Select the signed certificate that you received from the certificate authority. The file name should be something like server.crt or yourdomainname.crt.
    Intermediate Certificate: This field is optional. If the certificate authority provided an intermediate certificate, please import it here

Detailed Certificate Setup Explanation  ***Important, Click Here & Resume w instructions below once you get to third party SSL section***

Note:  Show file extensions in Windows file explorer to help differentiate between files.

Get the CSR

ProTip!  Backup CSR to safe and secure place for annual certificate renewal.  Make sure this is documented!

1.      Download server.csr to your computer. *Save the Synology Zip as Synology_CSR.zip
2.      Open server.csr with text editor and copy the text

3.      At this point, you can use the server.csr file to apply for a signed certificate from a third-party certificate authority. The procedure and expenses required will differ depending on the certificate authority. For more information, please consult the certificate authority directly.

Obtain a Certificate for Third Party (***GoDaddy Specifics***)

Contact GoDaddy at 1 (480) 505-8877 for purchasing a standard SSL certificate.  Then go to the following link to complete the setup.    https://certs.godaddy.com/

Take the CSR (created by your Synology device) to a Certificate Authority (CA) such as Godaddy.
Purchase a SSL Certificate (CRT).
Request or generate the CRT; you will need your CSR (from Synology Control Panel – Certificate).
Godaddy requires that you request the CRT and will prompt you for your CSR. Paste (open using notepad and include dashes/everything) in the text from the server.csr

 

Illustrated GoDaddy Certificate Setup

Godaddy has a certificate manager page when you log in to your account on their website.
https://certs.godaddy.com/

Note:  Are you troubleshooting your current Synology SSL Certifcate setup?  Make sure you setup your common name correctly so it shows diskstation or dsm.domainname.com.

 

 

 

 

 

 

 

Detailed Certificate Setup Explanation  ***Important, Click Here & Resume w instructions below once you get to third party SSL section***

 

Synology CSR Certificate Setup

 

 

 

 

 

 

1) Open CSR file created in Synology in notepad

Select all and copy

ProTip!  Want to check to confirm if your CSR file has the correct information?  ie common name, etc

Paste into this tool…  https://www.sslshopper.com/csr-decoder.html  (make sure you hit enter a couple times after pasting into the file to verify the contents)

Synology CSR Certificate Setup

 

 

 

 

 

2) Paste the entire note pad text from the CSR file

Synology CSR Certificate Setup

 

 

 

3) Choose this option if hosting your own server or Synology.  VERY IMPORTANT STEP!!!  See illustration.

 

Synology CSR Certificate Setup

*

 

 

 

 

 

 

make sure it has the correct common name you inserted at the creation of the CSR on the Synology

 

 

 

 

 

 

 

 

Synology CSR Certificate Setup

 

 

 

 

 

Make sure it has the correct common name you inserted at the creation of the CSR on the Synology.

https://dsm.yourdomainname.net

Synology CSR Certificate Setup

 

 

 

 

 

 

Wait for the Email

 

Wait for the email… And download the file.

After receiving GoDaddy or third party SSL Certificate…  Select Add a new certificate. Then click Next.  See “To Import Signed Certificate into DSM”

Note:  Show file extensions in Windows file explorer to help differentiate between files.

  • server.key (from Synology CSR, not the latest download from GoDaddy_
    • Note:  The Synology will state “Illegal private key” if you import server.csr file instead of server.key
  • Certificate enter location of domain.crt (not the “bundle.crt”) you received from GoDaddy
  • Intermediate certificate enter location of the gd_bundle.crt you received from GoDaddy

Cerificate file

 

 

 

I still receive a receive a certificate error after I have successfully setup the DSM certificate and confirmed the Godaddy settings

Make sure the new domain cert is the default cert.  You can select "configure" in the new certificate to set the new certificate as the default certificate.

Synology SSL Certificate Setup for GoDaddy Summary

 

Make sure you have the correct common name.   ie diskstation.domainname.com   It may show up under the key but there may be an extra step to enter the FQDN.
Download the CRT.
*This is either through an email or DNS text record edit.

You may receive some additional files, but the CRT is the one that you really need.
The files may be zipped. If so, expand the files.

Download the server.key you created earlier to your computer.  *GoDaddy account retains zip for the length of certificate

Log in to DSM->Control Panel->Network->DSM Settings->HTTP Service Tab
Click enable HTTPS connection
Click Add and Import certificate
Private key enter location of server.key
Certificate enter location of domain.crt (not the “bundle.crt”) you received from GoDaddy
Intermediate certificate enter location of the gd_bundle.crt you received from GoDaddy
Click OK
Click Apply

Now it’s associated with your domain name.  Please point your DNS to the Synology to take advantage of the 3rd party SSL certificate.  ie  diskstation.yourdomainname.com

Annual SSL Certificate Renewal

You will have to download the new files and upload to the certificate authority before the certificate is renewed. You can find this process listed here:

https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/connection_certificate

ProTip! You will need to the original CSR file from the Synology for this process to be successful.

SSL Certificate

 

 

 

 

 

 

 

 

Synology SSL Certificate replacement

 

 

 

 

 

 

 

 

 

 

The private key is a .key file that was created when you setup the certificate on the Synology unit. You just have to find that archive.zip from when this was created and then use that private key. That Private key is the key that is used to authenticate your setup.

https://www.namecheap.com/support/knowledgebase/article.aspx/9834/69/how-can-i-find-the-private-key-for-my-ssl-certificate#snlgns

SSL Certificate private key

 

 

 

 

 

 

 

 

 

The remaining files are downloaded from GoDaddy.  Godaddy has a certificate manager page when you log in to your account on their website.
https://certs.godaddy.com/

It’s SSL certificate renewal time – What if I lost the CSR (the private key) file from Synology?

ProTip!  Did you really lose the file?  Search your hard drive first for a CSR (Cerficate Signing Request) before getting messy with the deletion of the certificate setup.  Here’s the search command…  C:\>dir /s *.csr

Can’t find the CSR?

You will have to delete the current certificate, and recreate it, then set it up through GoDaddy and get the new documents with the new private key. Sadly, without that key file, that is what authorizes you to be able to use the certificate, and to renew it manually that would be required.

Delete synology SSL Certificate

 

 

 

 

 

 

 

 

default synology ssl certificate

 

 

 

 

 

 

 

 

 

Third party or GoDaddy replacement SSL certificate section is known as “ReyKey and Manage”

SSL Certificate ReyKey