Creating and installing a self signed SSL certificate on Synology NAS

Reasons behind this post

I have owned a Synology NAS for a long time now, specifically I own a DS409+ which has been for the most part an awesome device. I for some time have used a combination of the free dyndns.org service and some configuration on my router to open up the DSM web interface to the web so that I can access my NAS from anywhere.

This is and has been for the most part a great thing however being a professional web engineer and building large scale CMS driven sites I suddenly realised I was forgetting something important……SSL. I did a lot of research and reading on the subject and managed to find some articles on adding SSL to the DSM however I did not want to pay and so managed to piece together using only the DSM a way to create the self signed SSL certificate and install it on the Synology NAS DSM enabling running of my own certificate without errors…..awesome.

First thanks to Alexander van der Sar and this post which some of this is taken from.

Installing the openssl library

1. Firstly we need to use telnet. To turn this on log in to the DSM web interface, go to the control panel, click ‘Terminal‘ and select ‘Enable Telnet service‘ and save.

2. Next open up you telnet client (type telnet in the run bar for windows)

3. Now log on to your NAS. You must use the public or private url/ip address, the username of ‘root’ and the password of your admin account (it doesn’t matter if it’s disabled)

4. Type each of the following

cd /usr/syno
mkdir ssl
cd ssl
wget http://123adm.free.fr/home/pages/documents/syno-cert_fichiers/openssl.cnf
 

This will install the openssl content in to the NAS so it can be used.

Creating and installing the SSL certificate

1. Log on to the web interface of the DSM. Create a folder under one of the main shared folders that you have access to and can download from that we can use to create the ssl files.

2. Log on to the box as ‘root’ as described in ‘Installing the openssl library’

3. Navigate to the folder you created in part 1. To do this enter cd /volume1/{YOUR FOLDER}. For example if your top level shared folder was called personal and you created a folder called ssl you would need to go to

cd /volume1/personal/ssl
 

4. Next enter the following lines.  Use whatever key you like on the first command, then re-enter it when prompted on each of the other steps. When prompted for information enter what you like but for name make sure you enter the public domain of your NAS.  Also for the final line the parameter -days denotes how long the ssl certificate will last, change this to whatever you like.

openssl genrsa -des3 -out some.key 2048
openssl rsa -in some.key -out some.nopass.key
openssl req -nodes -new -key some.key -out some.csr
openssl x509 -req -in some.csr -signkey some.key -out some.crt -days 365
 

5. This will have now created a certificate file and the key you need. Download the following files to your desktop

some.nopass.key
some.crt
 

6. Now login to the web interface of your DSM, go to the control panel, DSM Settings, HTTP Service and click the button marked ‘Import Certificate

7. For the private key select some.nopass.key and for the Certificate select some .crt finally your NAS should reboot.

Force Accepting the SSL authority in Chrome for Windows

When using Firefox you can just accept the certificate but in Chrome to need to export and install it.

1. Go to the site in Chrome

2. Click the padlock on the left of the address bar, then click certificate information and go to the details tab

3. Select export to file and export with all default options to any name on your desktop

4. Double click the exported certificate, then select ‘Install Certificate’, select ‘Place all certificates in the following store‘ and then click browse and select ‘Trusted Root Certification Authorities’. Click Ok and follow the rest of the steps through, then restart any Chrome instances and now when you go to your SSL DSM interface any warning are gone and replaces with a lovely green lock on the left of the address bar.

I hope this helps anyone with similar issues, Thanks all

About ScottReed

I am an ASP.NET C# developer working in the south of England current for the south's top digital agency Redweb. I have worked for financial companies, CMS vendors, charities and web agencies tacking a variety of challenges. As part of my jobs and freelance I have done lots of work for high profile companies, big brands and government bodies and worked on some exciting large award winning builds. I love development and enjoy architectural design of software. ScottGu is my .NET hero and the Guru of all thing M$oft