I love my Synology Disk Station but been wanting to replace the self-signed certificate, with a certificate from a widely trusted Certificate Authority for a long time.
Through Googling, trial and error, I managed to replace the self-signed certificate with a free, validated certificate from StartSSL.
I am now better protected against man-in-the-middle attacks, as I am presented with a validated certificate from a trusted source, rather than a self-signed certificate which I must choose to trust each time I connect.
The usual disclaimer: I am by no means a *nix wiz. Since this was not as straightforward as it should have been, I decided to post the steps so other people can benefit from it. Use any of the information here to your heart's content, but do not blame me if something goes horribly wrong.
Any corrections, suggestions and other feedback is well appreciated.
Ensure telnet/SSH access to the Disk Station is enabled and login as root, e.g. using PuTTY.
DSM 3.0 seems to be missing the openssl.cnf file, which is expected at /usr/syno/ssl/openssl.cnf.
Download the sources from the appropriate version of OpenSSL from http://www.openssl.org/source/, then extract openssl.cnf from /apps/ in the tar ball to a directory on your Synology, e.g. /volume1/share/.
To check your version of OpenSSL:
openssl versionMy DS207+ running DSM 3.0 has OpenSSL 1.0.0a (1 Jun 2010).
Update: After upgrading my DS207+ to DSM 3.1 (build 1636), I'm now on OpenSSL 1.0.0c (2 Dec 2010). My DS108j running DSM 3.1 (build 1748) is running OpenSSL 1.0.0d (8 Feb 2011).
Create the directory /usr/syno/ssl and copy openssl.cnf to it:
mkdir /usr/syno/ssl/ cp /volume1/share/openssl.cnf /usr/syno/ssl/Next, generate a temporary working folder (e.g. /usr/local/ssl/) and change directory to that:
mkdir /usr/local/ssl cd /usr/local/ssl
Generating the private key and certificate request
Now create a new private key for encryption of the SSL session. OpenSSL will force you to protect the key with a password:
openssl genrsa -out server.protected.key 2048The password protection must be removed, before the key can be used by the web interface:
openssl rsa -in server.protected.key -out server.keyCreate a certificate request (CSR) based on the new key:
openssl req -new -key server.key -out server.csrYou do not necessarily have to enter all details - it depends on what your certificate provider requires. The most important is the "Common Name", which must exactly match the DNS name used to access the Synology, e.g. mysynology.dyndns.org.
With class 1 validated certificates, much of the information you can input to the request, is often discarded by the certificate provider. E.g.
Depending on your certificate providers request procedure, either upload the server.csr file or copy the contents of the file and paste into the providers website when prompted.
To output the contents:
Installing the files
- Save the issued certificate to a directory on the Synology, e.g. /volume1/share/server.crt
- Copy the certificate to the working folder created:
cp /volume1/share/server.crt /usr/local/ssl
- Change into the Synology certificate folder
- Make a backup folder for the old files:
- Copy the old files into the backup folder:
cp -r ssl.crt bak cp -r ssl.csr bak cp -r ssl.key bak
- Remove the self-signed CA certificate and associated files:
rm ssl.crt/ca.crt rm ssl.csr/ca.csr rm ssl.key/ca.key
- Copy the new files to the current folder:
mv /usr/local/ssl/server.crt ssl.crt mv /usr/local/ssl/server.csr ssl.csr mv /usr/local/ssl/server.key ssl.key
- Restart your Synology Station: