How to enable HTTPS and create a certificate signing request on your Synology NAS
In some situations, HTTPS (Hypertext Transfer Protocol Secure) can be used to encrypt and secure network communication between your Synology NAS and other devices, providing protection against eavesdropping or man-in-the-middle attacks. To secure network communication, you can use your Synology NAS to create self-signed certificates and certificate signing requests (CSR).
This article shows how to enable HTTPS on your Synology NAS as well as steps to create a certificate signing request. The certificate signing request can be used to obtain a third-party digital identity certificate.
- Before you start
- Why use HTTPS?
- Enable HTTPS
- Create certificate signing request and import a signed certificate
This article assumes that you have done the following:
- Set up your Synology NAS
- Installed Synology DiskStation Manager (DSM, web-based operating system of Synology NAS)
Refer to the Quick Installation Guide included with your Synology NAS for more information about hardware and software installation. You can also refer to the Synology NAS User's Guide (available at Synology's Download Center) for general information.
- To obtain a signed certificate from a certificate authority, you need a registered domain name, such as example.com.
Many organizations and services (e.g. banks, government institutions, email services) implement HTTPS and digital identity certificates to make sure sensitive data (e.g. passwords, credit card information) is encrypted and secure when transferred over the Internet or other networks. HTTPS encrypts the data when transferred between the organization's server and the user's computer, thus ensuring malicious third parties cannot intercept and view the transferred data. Certificates authenticate the entity of the organization's server, allowing the user's computer to know whether the server truly belongs to the organization.
If a website is secured with HTTPS and possesses a trusted certificate, a green lock usually appears in most browsers.
- Log in to DSM using an account belonging to the administrators group.
- Go to Control Panel > Network > DSM Settings.
- Tick the Automatically redirect HTTP connections to HTTPS (Web Station and Photo Station excluded) box and then click Apply.
- Wait a moment while the Synology NAS restarts network settings.
- Once the settings have been applied, you can connect to DSM via HTTPS. Open a browser and enter https://yourdomainname:5001, where "yourdomainname" is the server name or registered domain name used for accessing the Synology NAS.
- A port access number must be entered to connect via HTTPS. By default, the port used for HTTPS is 5001. If you have enabled the option to automatically redirect to HTTPS, then entering the port number is not necessary as it will redirect automatically.
When connecting to the Synology NAS via HTTPS, you will probably encounter a warning screen similar to the one below. This warning appears because the web browser requires a third party certificate to verify the identity of the Synology NAS, but the browser does not trust the default certificate used by the Synology NAS.
- The above warning screen was produced on Google Chrome.
The above warning can be avoided by adding the domain as a security exception, allowing you to access DSM normally. However, to verify the identity of the Synology NAS and ensure the connection is truly secure, you will need a third-party certificate from a trusted certificate authority.
To obtain a third-party certificate for your Synology NAS, please make sure you have a registered domain name. You must also pay any expenses required by the certificate authority.To create a certificate signing request (CSR):
- Some certificate authorities might require a certificate signing request (CSR) when you apply for a certificate. If so, you can easily create one. Go to Control Panel > Security > Certificate.
- Click the CSR button.
- Select Create certificate signing request. Then click Next.
- Fill in your information for the certification signing request. Once all the information is entered, click Next.
- Enter the domain name for accessing your Synology NAS in the Common name field.
- Enter the email address for the domain name in the Email field.
To import signed certificate into DSM:
- After successfully obtaining a signed certificate from a certificate authority, go to Control Panel > Security > Certificate and click Add.
- Select Add a new certificate. Then click Next.
- Select Import certificate. Then click Next.
- Click Browse to import the following files:
- Private Key: Select the server.key file that you saved on your computer earlier
- Certificate: Select the signed certificate that you received from the certificate authority. The file name should resemble yourdomainname.crt.
- Intermediate Certificate: This field is optional. If the certificate authority provided an intermediate certificate, please import it here.
- Remember to keep your private key and certificate files in a safe place. These files might be needed when you update or change servers.