I’ve been using the default setup on my Synology DS412+ with HTTPS enabled for a while now but knew it really wasn’t all that secure without a proper SSL certificate and creating a self-signed certificated isn’t all the much better and can be easily forged. I decided it was about time I used a “real” certificate to better secure the NAS.
Prerequisites before starting
- You need to own a domain name, for example MikeTabor.com and be able to receive email from the domain name.
If you don’t already have a webhost for the domain, I’d suggest BlueHost.
- You also need a DDNS service setup. In this case and for my use, I simply use the Synology DDNS service they offer for free.
- With those two setup, you will also want to add a CNAME DNS forward from your domain (or subdomain if you wish to go that route) to your DDNS service.
- Finally you’ll want to make sure Port Forwarding has been configured on your router.
For me I’ll be using a subdomain attached to my domain name for example: subdomain.miketabor.com. I also purchased the SSL certificate from NameCheap (Comodo PositiveSSL) for just $9.00 a year.
Note: I’ll be using a Synology DS412+ running DSM 5.0u1.
- Log into your Synology and navigate to Control Panel > Security > Certificate and click on “Create Certificate“.
- Select “Create certificate signing request (CSR)” and click “Next“.
- Now fill out your request form with your information:
- Private Key Length: 2048 (as suggested per the NameCheap SSL)
- Common Name: Enter your domain name (in my case I’m using a subdomain so I enter subdomain.miketabor.com
- Email: Enter your email address. As will be shown soon, I noticed when I was going to confirm my email address I couldn’t use any email address from the domain via NameCheap as they used pre-selected email addresses. I simply created a forward on my webhosting control panel to forward all email from admin(at)miketabor.com to my main email address then removed the forward.
- Now click on “Download“. This will download a file called archive.zip which will contain two files: server.csr and server.key – SAVE these files!
Issue the SSL Certificate
If you haven’t already purchased your SSL, go ahead and do so. Once purchased (I’m assuming you also purchased from NameCheap) log into your NeamCheap control panel and click on “Issue” next to your newly purchased SSL cert.
- In the Digital Certificate Order Form page select “Other” from the Select Web Server drop down menu. Then open the “server.csr” file (saved from above!) in notepad or notepad++ and copy and paste everything into the “Enter CSR” field.
- The next screen NameCheap will give you a list of email addresses which can be used to approve the certificate request. Select an email address and click “Next“.
Note: As mentioned above I don’t use any of these pre-selected email addresses so I simply created a forward to my main email address in my web hosting control panel for the time being.
- In a few minutes you should receive an email from Comodo that contains a link and a validation code. Click on the link and enter the validation code and click “Next“.
- A few minutes after you confirm the validation code you’ll receive another email from Comodo with an ZIP file attachment, extract the file somewhere safe!
Import the SSL Certificate
- Go back to your Synology and navigate to Control Panel > Security > Certificate and click on “Import Certificate“.
- Browse and import the following files for each field:
- Private Key: Server.key (saved from Getting Started, Step 4)
- Certificate: domain_com.crt (received from the Comodo .zip file in email)
- Intermediate certificate: PositiveSSLCA2.crt (also received from Comodo zip file)
- Your Synology webserver will now restart which should only take a few seconds. Your Synology control panel certificates page will look like this:
Redirect HTTP requests to HTTPS
To finish up we’ll want to make sure that any HTTP request the Synology receives is redirected to HTTPS and thus ensuring each time you access your Synology DSM it’s being protected by the SSL certificate.
- Within the Synology DSM navigate to Control Panel > Network > DSM Settings.
- Place a check in the following check boxes: “Enable HTTPS connection” and “Automatically redirect HTTP connections to HTTPS…”
- Also worth enabling is “SPDY” which can make loading the page faster and “HSTS” which ensures browsers use the secured connection.
- Then click on “Apply”.
Note: This step is also a good time to change your port number if you wish (I’d recommend doing so as an added layer of security), just be sure to update your router port forwarding rules.
Safe and secure!
Now simply try to access your NAS using your domain/subdomain (example: subdomain.miketabor.com) and your connection is now secured and you can confirm by viewing the SSL cert in your browser.
That’s it! Below I’ve included some extra information based on the questions I’ve received in the comments and email.
Adding a CNAME in cPanel
I’ve been asked several times how to add a CNAME to a web host. The process is going to vary from web host to web host as it all depends on what control panel your web host uses, if any. In this case I’ll show you how to add a CNAME using one of the most common control panels and that’s WHM/cPanel.