Certificate
A certificate can be used to secure SSL services of the DiskStation, such as web (all HTTPS services), mail, or FTP. Having a certificate allows users to validate the identity of a server and the administrator before sending any confidential information.
At Control Panel > Security > Certificate, you can do the following:
- Get certificates from Let's Encrypt.
- Create self-signed certificates.
- Create certificate signing requests to other certificate authorities (CA).
- Sign the certificate signing requests from other applicants
- Manage certificates on your DiskStation.
Note:
- Starting from DSM 6.0, you can create and import multiple certificates to your DiskStation.
- If you tick Set as default certificate, the certificate being processed will be used as the default certificate. The original default certificate will lose its default status.
Certificates from Let's Encrypt
To get certificates from Let's Encrypt:
You can get free and secure SSL/TLS certificates automatically from Let's Encrypt, an open and well-trusted certificate authority.
- Click Add.
- Select Add a new certificate and click Next.
- Select Get a certificate from Let's Encrypt.
- Enter the following information:
- Click Apply to save the settings. Once confirmed, the certificate will be instantly imported into your DiskStation.
Note:
- You can only register for certificates from Let's Encrypt with a limited number of email accounts. If the limit is exceeded, use an email account previously registered to get more certificates.
- You can only register for a limited number of certificates per domain from Let's Encrypt. If the limit is exceeded, please do either of the following:
- Enter the current domain name as the Subject Alternative Name (SAN) and use another domain name for the certificate request.
- Enter
*.SYNOLOGY_DDNS_DOMAIN_NAME
as the SAN to apply for a wildcard certificate.
- Let's Encrypt will perform domain validation before issuing certificates for your domains. Please make sure your DiskStation and router have port 80 open for domain validation from the Internet. All the other communications with Let's Encrypt go over HTTPS and will keep your DiskStation secure.
- Certificates issued by Let's Encrypt are valid for 90 days. Before the certificates expire, DSM will automatically renew such certificates after successful domain validation. Please make sure your DiskStation and router have port 80 open for certificate renewal.
- Wildcard certificates are only supported for Synology DDNS.
Self-signed Certificates
A self-signed certificate refers to a certificate that is created and signed by the same entity whose identity it certifies (in this case, the DiskStation). Self-signed certificates are signed with the private key generated by the DiskStation. Because self-signed certificates are not issued by third-party certificate authorities, they provide less proof of the identity of the server and are usually only used to secure channels between the server and a group of known users.
To create self-signed certificates:
- Click Add.
- Select Add a new certificate and click Next.
- Select Create self-signed certificate.
- Follow the instructions of the setup wizard.
Certificate Signing Requests (CSR)
In addition to certificates issued from Let's Encrypt and self-signed certificates, you can also apply for certificates from other commercial or third-party certificate authorities. To get a certificate, you may need to do the following:
- Create a certificate signing request (CSR): An encrypted body of text generated by the DiskStation containing information that will be included in your certificate such as your domain name, organization name, general location, and email address.
- Provide your personal or organization's identification to the certificate authority, and prove you are the owner of the domain name that was entered in the common name field of the certificate signing request.
To create certificate signing requests:
- Click CSR.
- Select Create certificate signing request (CSR).
- Follow the instructions of the setup wizard to create and download the certificate signing request.
- Send the CSR and required information to the certificate authority for confirmation.
When you receive the requested certificate issued by the certificate authority, you can import it along with your private key.
Note:
A private key should also be generated along with the certificate signing request. Certificate authorities do not need this private key. Please keep the private key for your DiskStation safe and secure.
To sign certificate signing requests:
Users of other devices may send certificate signing requests to gain certified access to your DiskStation. You can sign their requests using the root certificate of the DiskStation, and send the generated certificates to the applicants.
- Click CSR.
- Click Sign certificate signing request (CSR).
- Upload the certificate signing request and enter relevant information.
- Click Next, and the system will sign the certificate request and create a corresponding certificate.
Certificate Management
To import certificates:
You can import a previously exported certificate or a certificate from a commercial or third-party certificate authority, along with a private key, to have your DiskStation trusted by other devices.
- Click Add.
- Select Add a new certificate and Import certificate.
- Follow the wizard's instructions to finish importing the certificate.
Note:
- Intermediate certificates are optional for some certificate authority-issued certificates.
- Certificates must be X.509 PEM format.
- Private keys must be RSA format and cannot be passphrase protected.
To export certificates:
Existing certificates can be downloaded for management or archival purposes, and they can also be imported into other users' devices to establish trust between your DiskStation and their devices. The exported file contains the certificate, private key, and self-signed root certificate of the DiskStation.
- Select the desired certificate.
- Click Export certificate.
To renew certificates:
When your certificate is about to expire, it can be renewed using this option.
- Click CSR.
- Select Renew certificate and click Next.
- Download the generated private key and certificate signing request.
- Send the CSR to the desired certificate authority for a renewed certificate.
To replace certificates:
If you do not want to use existing certificates, you can replace them with other certificates.
- Click Add.
- Select Replace an existing certificate and the unwanted certificate from the drop-down menu.
- Follow the wizard's instructions to finish replacing the certificate.
To edit certificates:
You can edit certificate description or set another certificate as the default certificate.
- Select the desired certificate.
- Click Edit and you can do either action below:
- Change the certificate description, and click OK.
- Select Set as default certificate to assign it with the default status, and click Apply.
To configure certificates:
You can change a certificate for a service to another certificate to suit your needs.
- Click Configure to show all the services and the corresponding certificates.
- Click the current certificate of the targeted service.
- Select the proper certificate from the drop-down menu.
- Click OK.
Note:
- The System Default certificate will apply to the connection that is not on the service list.
To delete certificates:
- Select the unwanted certificate.
- Click Delete to finish deleting the certificate.
Note:
- The default certificate cannot be deleted.
- If you delete a non-default certificate, the default certificate will take over its corresponding services. Please keep in mind that the default certificate may not be fully compatible with these services.
To repair certificates:
When there are errors with a certificate, the services which are registered using such certificate will be inaccessible. Choose from the following options to repair the certificate:
- Apply for a new certificate, such as Let's Encrypt.
- Import the certificate again.
- Change the services' certificate to a different one.