How to generate custom SSL certificates
- At first you should generate a temporary work folder. For example /usr/local/ssl/ and cd to this location.
The generation of SSL-certificates is always in two steps. At first you have to generate a certificate authority key and then you generate a server certificate out of the certificate authority key. The server certificate will be used when starting the webserver and the certificate authority key has to be installed on the client pc.
- During the key generation you have to enter a passphrase which you need later to generate the certificates. Generate the key ca.key with the following command:
openssl genrsa -des3 -out ca.key 1024
- Generation of the key certificate:
openssl req -new -key ca.key -out ca.csr
- Generation of the final certificate authority key (valid 10 years):
openssl x509 -days 3650 -signkey ca.key -in ca.csr -req -out ca.crt
Generation of the server-certificate
- Generation of the key:
openssl genrsa -out server.key 1024
- Generation of the key certificate - most important is the Common Name. It is important that it matches your DNS-Name. Example: name.dyndns.org. You can also use wildcards like *.name.dyndns.org.
openssl req -new -key server.key -out server.csr
- Generation of the server certificate:
openssl x509 -days 3650 -CA ca.crt -CAkey ca.key -set_serial 01 -in server.csr -req -out server.crt
Installing the files
- Change into the Synology certificate folder
- Make a backup folder for the old files:
- Copy the old files into the backup folder:
cp -r ssl.crt bak cp -r ssl.csr bak cp -r ssl.key bak
- Move the new files to the certificate folder:
mv /usr/local/ssl/ca.crt ssl.crt mv /usr/local/ssl/server.crt ssl.crt mv /usr/local/ssl/ca.csr ssl.csr mv /usr/local/ssl/server.csr ssl.csr mv /usr/local/ssl/ca.key ssl.key mv /usr/local/ssl/server.key ssl.key
- The ca.crt has to be installed on the client workstations. For this we copy the file into the folder public.
cp /usr/syno/etc/ssl/ssl.crt/ca.crt /volume1/public
- Restart your Synology Station
Installation of the certificate on the client workstation
Finally the certificate has to installed on the client workstations as a trusted certificate authority. Copy the file ca.crt to the client pc and install it within windows explorer with rightclick -> install certificate.
In case something goes wrong, Synology has supplied an easy way to, not restore, but create a set of new and working certificates. This should restore the certificates if importing certificates from the web manager has failed. If you need a telnet or ssh client use PuTTY.
- Login as root, using the admin users password, to the Synology NAS drive using telnet or ssh. And type the following in the command prompt:
cd /usr/syno/etc/ssl/ ./mkcert.sh
- Allow the script to finish, and type reboot in the prompt.
- In a while the NAS drive should have rebooted, and everything should be fine again.
Thanks to maelcum in this forum post for pointing it out.