Synology SSL Certificate Setup for GoDaddy
Synology remote access requires a key component called a SSL certificate for securing your data. Webpage warnings can be avoided by adding the domain as a security exception, allowing you to access DSM normally. However, to verify the identity of the Synology NAS and ensure the connection is truly secure, you will need to a third-party certificate from a trusted certificate authority. The less secure alternative is a self signing cert. Below is instructions for a third-party certificate authority such as GoDaddy.
Looking for a DDNS certificate?
How do I obtain a certificate from Let’s Encrypt on my Synology NAS? – Synology Knowledge Center
Before You Begin
Make sure you go into GoDaddy, register a domain name, and setup a A record that points to the Synology Diskstation WAN IP address.
To obtain a third-party certificate for your Synology NAS, please make sure you have a registered domain name. You must also pay any expenses required by the certificate authority.
Pro Synology IT Support Tip!
- The preliminary information here is for GoDaddy FQDN setup. Already done all this and waiting for an email? Note: A CSR must be generated through DSM for GoDaddy to send that email.
- FQDN and CSR generated through DSM?? Go to the section for “Waiting for an email”
- Scroll down to GoDaddy Specifics for importing the CSR file that you received from the Synology.
- Scroll down “Synology SSL Certificate Setup for GoDaddy Summary” after you have received the certificate files from GoDaddy
Additional Resources: Accessing a Synology remotely so you can work from home
- A best practice guide for setting up remote access for under 10 user environments.
- Note: It does not include steps for VPN or port forwarding
- Synology Ports for Remote Accessibility
- Synology SSL Certificate Setup
- Certificate issues and hosting a Synology with a Dynamic WAN IP
- Cloud Station Support, DS Cloud Setup for Computer and Phone
Certificate Setup:
- Note the import cert is as below. They are the .key and gd issued crt, and you need the gd1 intermediate bundle.
- On the Import Certificate screen, click browse and import the following files.
Private Key: Select the server.key file that you saved on your computer earlier
Certificate: Select the signed certificate that you received from the certificate authority. The file name should be something like server.crt or yourdomainname.crt.
Intermediate Certificate: This field is optional. If the certificate authority provided an intermediate certificate, please import it here
Note: Show file extensions in Windows file explorer to help differentiate between files.
Get the CSR
ProTip! Backup CSR to safe and secure place for annual certificate renewal. Make sure this is documented!
1. Download server.csr to your computer. *Save the Synology Zip as Synology_CSR.zip
2. Open server.csr with text editor and copy the text
3. At this point, you can use the server.csr file to apply for a signed certificate from a third-party certificate authority. The procedure and expenses required will differ depending on the certificate authority. For more information, please consult the certificate authority directly.
Obtain a Certificate for Third Party (***GoDaddy Specifics***)
Contact GoDaddy at 1 (480) 505-8877 for purchasing a standard SSL certificate. Then go to the following link to complete the setup. https://certs.godaddy.com/
Take the CSR (created by your Synology device) to a Certificate Authority (CA) such as Godaddy.
Purchase a SSL Certificate (CRT).
Request or generate the CRT; you will need your CSR (from Synology Control Panel – Certificate).
Godaddy requires that you request the CRT and will prompt you for your CSR. Paste (open using notepad and include dashes/everything) in the text from the server.csr
Illustrated GoDaddy Certificate Setup
Godaddy has a certificate manager page when you log in to your account on their website.
https://certs.godaddy.com/
Note: Are you troubleshooting your current Synology SSL Certifcate setup? Make sure you setup your common name correctly so it shows diskstation or dsm.domainname.com.
1) Open CSR file created in Synology in notepad
Select all and copy
ProTip! Want to check to confirm if your CSR file has the correct information? ie common name, etc
Paste into this tool… https://www.sslshopper.com/csr-decoder.html (make sure you hit enter a couple times after pasting into the file to verify the contents)
2) Paste the entire note pad text from the CSR file
3) Choose this option if hosting your own server or Synology. VERY IMPORTANT STEP!!! See illustration.
*
Make sure it has the correct common name you inserted at the creation of the CSR on the Synology.
https://dsm.yourdomainname.net
Wait for the Email
Wait for the email… And download the file.
After receiving GoDaddy or third party SSL Certificate… Select Add a new certificate. Then click Next. See “To Import Signed Certificate into DSM”
Note: Show file extensions in Windows file explorer to help differentiate between files.
- server.key (from Synology CSR, not the latest download from GoDaddy_
- Note: The Synology will state “Illegal private key” if you import server.csr file instead of server.key
- Certificate enter location of domain.crt (not the “bundle.crt”) you received from GoDaddy
- Intermediate certificate enter location of the gd_bundle.crt you received from GoDaddy
I still receive a receive a certificate error after I have successfully setup the DSM certificate and confirmed the Godaddy settings
Make sure the new domain cert is the default cert. You can select "configure" in the new certificate to set the new certificate as the default certificate.
Synology SSL Certificate Setup for GoDaddy Summary
Make sure you have the correct common name. ie diskstation.domainname.com It may show up under the key but there may be an extra step to enter the FQDN.
Download the CRT.
*This is either through an email or DNS text record edit.
You may receive some additional files, but the CRT is the one that you really need.
The files may be zipped. If so, expand the files.
Download the server.key you created earlier to your computer. *GoDaddy account retains zip for the length of certificate
Log in to DSM->Control Panel->Network->DSM Settings->HTTP Service Tab
Click enable HTTPS connection
Click Add and Import certificate
Private key enter location of server.key
Certificate enter location of domain.crt (not the “bundle.crt”) you received from GoDaddy
Intermediate certificate enter location of the gd_bundle.crt you received from GoDaddy
Click OK
Click Apply
Now it’s associated with your domain name. Please point your DNS to the Synology to take advantage of the 3rd party SSL certificate. ie diskstation.yourdomainname.com
Annual SSL Certificate Renewal
You will have to download the new files and upload to the certificate authority before the certificate is renewed. You can find this process listed here:
https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/connection_certificate
ProTip! You will need to the original CSR file from the Synology for this process to be successful.
The private key is a .key file that was created when you setup the certificate on the Synology unit. You just have to find that archive.zip from when this was created and then use that private key. That Private key is the key that is used to authenticate your setup.
The remaining files are downloaded from GoDaddy. Godaddy has a certificate manager page when you log in to your account on their website.
https://certs.godaddy.com/
It’s SSL certificate renewal time – What if I lost the CSR (the private key) file from Synology?
ProTip! Did you really lose the file? Search your hard drive first for a CSR (Cerficate Signing Request) before getting messy with the deletion of the certificate setup. Here’s the search command… C:\>dir /s *.csr
Can’t find the CSR?
You will have to delete the current certificate, and recreate it, then set it up through GoDaddy and get the new documents with the new private key. Sadly, without that key file, that is what authorizes you to be able to use the certificate, and to renew it manually that would be required.
Third party or GoDaddy replacement SSL certificate section is known as “ReyKey and Manage”
