Knowledge Base

How to enable HTTPS and create a certificate signing request on Synology NAS

Overview

In some situations, HTTPS (HyperText Transfer Protocol Secure) can be used to encrypt and secure network communication between your Synology NAS and other devices, providing protection against eavesdropping or man-in-the-middle attacks. In addition, to ensure network communicate is truly secure, Synology NAS also includes easy-to-use tools to create self-signed certificates or certificate signing requests (CSR).

This article provides instructions to enable HTTPS on your Synology NAS, as well as the basic steps to create a certificate signing request in order to obtain a third-party, digital identity certificate.

Contents

  1. Before you start
  2. Why use HTTPS?
  3. Enable HTTPS
  4. Create certificate signing request and import a signed certificate

1. Before you start

  • To finish the second section of this tutorial and obtain a signed certificate from a certificate authority, you'll need a registered domain name, such as example.com.

Return to top

2. Why use HTTPS?

Some organizations (e.g. banks, government institutions, email services) implement HTTPS and digital identity certificates to make sure sensitive data (e.g. passwords, credit card information) is encrypted and secure when transferred over the Internet or other networks. HTTPS encrypts the data when transferred between the organization's server and the user's computer, thus ensuring malicious third-parties cannot intercept and view the transferred data. Certificates authenticate the entity of the organization's server, allowing the user's computer to know whether or not the server truly belongs to the organization.

If a website is secured with HTTPS and possesses a trusted certificate, a green lock usually appears in most browsers.

Return to top

3. Enable HTTPS

  1. Log in to DSM using an account belonging to the administrator group.
  2. Go to Main Menu > Control Panel > Network > DSM Settings.
  3. Tick the Enable HTTPS connection box and then click Apply.
  4. If you would like to automatically redirect all HTTP connections to HTTPS, you can tick the Automatically redirect HTTP connections to HTTPS (Web Station and Photo Station excluded) box, and then click Apply.
  5. Wait a moment while the Synology NAS restarts network settings.
  6. Once the settings have been applied, you can connect to DSM via HTTPS. Open a browser and enter https://yourdomainname:5001, where "yourdomainname" is the server name or registered domain name used for accessing the Synology NAS.
  7. Note: A port access number must be entered to connect via HTTPS. By default, the port used for HTTPS is 5001. If you have enabled the option to automatically redirect to HTTPS, then entering the port number is not necessary as it will redirect automatically.

Return to top

4. Create certificate signing request and import a signed certificate

When connecting to the Synology NAS via HTTPS, you'll probably encounter a warning screen similar to the one below. This warning appears because the web browser requires a third party certificate to verify the identity of the Synology NAS, but the browser doesn't trust the default certificate used by the Synology NAS.

Note: The above warning screen was produced on Google Chrome.

The above warning can be avoided by adding the domain as a security exception, allowing you to access DSM normally. However, to verify the identity of the Synology NAS and ensure the connection is truly secure, you'll need to obtain a third-party certificate from a trusted certificate authority.

If you'd like to obtain a third-party certificate for your Synology NAS, please make sure you have a registered domain name and money for any expenses required by the certificate authority.

To create a certificate signing request (CSR):

  1. Some certificate authorities might require a certificate signing request (CSR) when you apply for a certificate. If so, you can easily create one. Go to Control Panel > Security > Certificate.
  2. Click Create certificate.
  3. Select Create certificate signing request. Then click Next.
  4. Fill in your information for the certification signing request. Once all the information is entered, click Next.
    • Enter the domain name for accessing your Synology NAS in the Common name field.
    • Enter the email address for the domain name in the Email field.
  5. The system will create a certificate signing request. Once finished, click Download.
  6. A file called archive.zip will be downloaded to your computer. It should contain two files -- server.csr and server.key. Keep both of these files in a safe place on your computer.
  7. At this point, you can use the server.csr file to apply for a signed certificate from a third-party certificate authority. The procedure and expenses required will differ depending on the certificate authority. For more information, please consult the certificate authority directly.

To import signed certificate into DSM:

  1. After successfully obtaining a signed certificate from a certificate authority, go to Control Panel > Security > Certificate and click Import certificate.
  2. On the Import Certificate screen, click browse and import the following files.
    • Private Key: Select the server.key file that you saved on your computer earlier
    • Certificate: Select the signed certificate that you received from the certificate authority. The file name should be something like server.crt or yourdomainname.crt.
    • Intermediate Certificate: This field is optional. If the certificate authority provided an intermediate certificate, please import it here.
  3. Click OK, and the signed certificate should be successfully imported.
  4. Note: Remember to keep your private key and certificate files in a safe place. These files might be needed when updating or changing servers.

Return to top

Tags :
Security
Is this information useful for you? Yes No

Need technical support? Submit Support Form