Certificate
A certificate can be used to secure SSL services of the Synology NAS, such as web (all HTTPS services), mail, or FTP. Having a certificate allows users to validate the identity of a server and the administrator before sending any confidential information.
At Control Panel > Security > Certificate, you can do the following:
- Add certificates.
- Delete and edit certificates.
- Export and renew certificates.
- Configure certificates.
- Create certificate signing requests.
Note:
- You can add and import multiple certificates to your Synology NAS.
- If you tick Set as default certificate, the certificate being processed will be used as the default certificate. The original default certificate will lose its default status.
Add Certificates
To import certificates:
You can import a previously exported certificate or a certificate from a commercial or third-party certificate authority, along with a private key, to have your Synology NAS trusted by other devices.
- Click Add.
- Select Add a new certificate and click Next.
- Enter the description for the certificate and select Import certificate. Click Next.
- Follow the wizard's instructions to finish importing the certificate.
Note:
- Intermediate certificates are optional for some certificate authority-issued certificates.
- Certificates must be X.509 PEM or DER format.
- Private keys support both ECC and RSA formats, however, RSA format cannot be passphrase protected.
To get certificates from Let's Encrypt:
You can get free and secure SSL/TLS certificates automatically from Let's Encrypt, an open and well-trusted certificate authority.
- Click Add.
- Select Add a new certificate and click Next.
- Select Get a certificate from Let's Encrypt and click Next.
- Enter the following information:
- Domain name: Enter the domain you have registered from the domain provider.
- Email: Enter the email address used for certificate registration.
- Subject Alternative Name: To allow one certificate to cover multiple domains, enter the other domain names here. You can also apply for a wildcard certificate by entering the domain names of Synology DDNS in the following format:
*.SYNOLOGY_DDNS_DOMAIN_NAME
- Click Done to save the settings. Once confirmed, the certificate will be instantly imported into your Synology NAS.
Note:
- You can only register for certificates from Let's Encrypt with a limited number of email accounts. If the limit is exceeded, use an email account previously registered to get more certificates.
- You can only register for a limited number of certificates per domain from Let's Encrypt. If the limit is exceeded, please do either of the following:
- Enter the current domain name as the Subject Alternative Name (SAN) and use another domain name for the certificate request.
- Enter
*.SYNOLOGY_DDNS_DOMAIN_NAMEas the SAN to apply for a wildcard certificate.
- Let's Encrypt will perform domain validation before issuing certificates for your domains. Please make sure your Synology NAS and router have port 80 open for domain validation from the Internet. All the other communications with Let's Encrypt go over HTTPS and will keep your Synology NAS secure.
- Certificates issued by Let's Encrypt are valid for 90 days. Before the certificates expire, DSM will automatically renew such certificates after successful domain validation. Please make sure your Synology NAS and router have port 80 open for certificate renewal.
- Wildcard certificates are only supported for Synology DDNS.
To replace certificates:
If you do not want to use existing certificates, you can replace them with other certificates.
- Click Add.
- Select Replace an existing certificate, and select the unwanted certificate from the drop-down menu.
- Follow the instructions to finish replacing the certificate.
Delete and Edit Certificates
To delete certificates:
- Select the unwanted certificate.
- Select Delete from the Action drop-down menu to finish deleting the certificate.
Note:
- The default certificate cannot be deleted.
- If you delete a non-default certificate, the default certificate will take over its corresponding services. Please keep in mind that the default certificate may not be fully compatible with these services.
To edit certificates:
You can edit certificate description or set another certificate as the default certificate.
- Select the desired certificate.
- Select Edit from the Action drop-down menu, and you can do either action below:
- Change the certificate description, and click OK.
- Tick Set as default certificate to set it as the default certificate, and click OK.
Export and Renew Certificates
To export certificates:
Existing certificates can be downloaded for management or archival purposes, and they can also be imported into other users' devices to establish trust between your Synology NAS and their devices. The exported file contains the certificate, private key, and self-signed root certificate of the Synology NAS.
- Select the desired certificate.
- Select Export certificate from the Action drop-down menu.
To renew certificates:
When your certificate is about to expire, it can be renewed using this option.
- Select the desired certificate.
- Select Renew certificate from the Action drop-down menu, and click Next. A new private key and certificate signing request will be created.
- Click Renew certificate to retrieve your new private key and certificate signing request. You can use the new signing request to reapply for another certificate authority signed certificate.
Configure Certificates
To configure certificates:
You can change a certificate for a service to another certificate to suit your needs.
- Click Settings and go to the Configure tab.
- You can see all the services and the corresponding certificates.
- Click the current certificate of the targeted service.
- Select the proper certificate from the drop-down menu.
- Click OK.
Note:
- The System Default certificate will apply to the connection that is not on the service list.
To reset certificates:
You can reset to the default Synology certificate. When you do so, all other certificates will be deleted from your Synology NAS.
- Click Settings and go to the Advanced tab.
- Click Reset in the Reset Certificate section.
- Click Yes.
To repair certificates:
When there are errors with a certificate, the services which are registered using such certificate will be inaccessible. Choose from the following options to repair the certificate:
- Apply for a new certificate, such as Let's Encrypt.
- Import the certificate again.
- Change the services' certificate to a different one.
Certificate Signing Requests (CSR)
In addition to certificates issued from Let's Encrypt, you can also apply for certificates from other commercial or third-party certificate authorities. To get a certificate, you may need to do the following:
- Create a certificate signing request (CSR): An encrypted body of text generated by the Synology NAS containing information that will be included in your certificate such as your domain name, organization name, general location, and email address.
- Provide your personal or organization's identification to the certificate authority, and prove you are the owner of the domain name that was entered in the common name field of the certificate signing request.
To create certificate signing requests:
- Click Settings and go to the Advanced tab.
- Click Create certificate signing request (CSR).
- Follow the instructions of the setup wizard to create and download the certificate signing request.
- Send the CSR and required information to the certificate authority for confirmation.
When you receive the requested certificate issued by the certificate authority, you can import it along with your private key.
Note:
- A private key should also be generated along with the certificate signing request. Certificate authorities do not need this private key. Please keep the private key for your Synology NAS safe and secure.