How to enable HTTPS and create a certificate signing request on Synology NAS
In some situations, HTTPS (HyperText Transfer Protocol Secure) can be used to encrypt and secure network communication between your Synology NAS and other devices, providing protection against eavesdropping or man-in-the-middle attacks. In addition, to ensure network communicate is truly secure, Synology NAS also includes easy-to-use tools to create self-signed certificates or certificate signing requests (CSR).
This article provides instructions to enable HTTPS on your Synology NAS, as well as the basic steps to create a certificate signing request in order to obtain a third-party, digital identity certificate.
- Before you start
- Why use HTTPS?
- Enable HTTPS
- Create certificate signing request and import a signed certificate
- To finish the second section of this tutorial and obtain a signed certificate from a certificate authority, you'll need a registered domain name, such as example.com.
Some organizations (e.g. banks, government institutions, email services) implement HTTPS and digital identity certificates to make sure sensitive data (e.g. passwords, credit card information) is encrypted and secure when transferred over the Internet or other networks. HTTPS encrypts the data when transferred between the organization's server and the user's computer, thus ensuring malicious third-parties cannot intercept and view the transferred data. Certificates authenticate the entity of the organization's server, allowing the user's computer to know whether or not the server truly belongs to the organization.
If a website is secured with HTTPS and possesses a trusted certificate, a green lock usually appears in most browsers.
- Log in to DSM using an account belonging to the administrator group.
- Go to Main Menu > Control Panel > Network > DSM Settings.
- Tick the Enable HTTPS connection box and then click Apply.
- If you would like to automatically redirect all HTTP connections to HTTPS, you can tick the Automatically redirect HTTP connections to HTTPS (Web Station and Photo Station excluded) box, and then click Apply.
- Wait a moment while the Synology NAS restarts network settings.
- Once the settings have been applied, you can connect to DSM via HTTPS. Open a browser and enter https://yourdomainname:5001, where "yourdomainname" is the server name or registered domain name used for accessing the Synology NAS.
When connecting to the Synology NAS via HTTPS, you'll probably encounter a warning screen similar to the one below. This warning appears because the web browser requires a third party certificate to verify the identity of the Synology NAS, but the browser doesn't trust the default certificate used by the Synology NAS.
The above warning can be avoided by adding the domain as a security exception, allowing you to access DSM normally. However, to verify the identity of the Synology NAS and ensure the connection is truly secure, you'll need to obtain a third-party certificate from a trusted certificate authority.
If you'd like to obtain a third-party certificate for your Synology NAS, please make sure you have a registered domain name and money for any expenses required by the certificate authority.
To create a certificate signing request (CSR):
- Some certificate authorities might require a certificate signing request (CSR) when you apply for a certificate. If so, you can easily create one. Go to Control Panel > Security > Certificate.
- Click Create certificate.
- Select Create certificate signing request. Then click Next.
- Fill in your information for the certification signing request. Once all the information is entered, click Next.
- Enter the domain name for accessing your Synology NAS in the Common name field.
- Enter the email address for the domain name in the Email field.
To import signed certificate into DSM:
- After successfully obtaining a signed certificate from a certificate authority, go to Control Panel > Security > Certificate and click Import certificate.
- On the Import Certificate screen, click browse and import the following files.
- Private Key: Select the server.key file that you saved on your computer earlier
- Certificate: Select the signed certificate that you received from the certificate authority. The file name should be something like server.crt or yourdomainname.crt.
- Intermediate Certificate: This field is optional. If the certificate authority provided an intermediate certificate, please import it here.
Need technical support? Submit Support Form