Certificate
In this section, you will learn how to enhance your network security by managing certificates that allow users to validate the identity of your Synology Router before establishing a secure connection. A certificate can be used to secure SSL services of your Synology Router, such as web (all HTTPS services) or FTP. For example, your browser will validate the certificate of your Synology Router when logging in via HTTPS. Your browser will warn you that the site's security certificate is not trusted if you do not have a certificate issued by certificate authorities. By using trusted certificates, you can help prevent malicious third-parties from compromising your connection.
The Certificate tab (Control Panel > Services > Certificate) provides options to manage and view the status of Synology Router certificates, allowing you to create, import, export, and renew certificates. The certificate setup wizard helps create self-signed certificates and certificate signing requests (CSR) for registration with certificate authorities (CA).
Contents
1. What to know about self-signed certificates
A self-signed certificate is a certificate created and signed by the same entity whose identity is certified by itself (in this case, your Synology Router). Self-signed certificates are signed with the private key generated by your Synology Router. Because self-signed certificates are not issued by third-party certificate authorities, they provide lesser proof of a host device's identity and are usually only used to secure channels between the host device and a group of known users. A self-signed certificate can be used to secure connections to your Synology Router if all of the users connecting are known and trusted by the administrator.
To create a self-signed certificate:
- Click Create certificate.
- Select Create self-signed certificate and click Next.
- Follow the certificate wizard instructions.
Note:
- Creating a self-signed certificate will replace the existing certificate of your Synology Router.
Your self-signed certificate can then be imported together with a signed certificate request to establish a secure connection with your Synology Router. Please see the next section for more details about creating certificate signing requests.
Existing certificates can be downloaded for management or archival purposes. The exported file contains the certificate, private key, and self-signed root certificate of your Synology Router.
To export a certificate:
- Click Export certificate. You can then download the compressed archive to your computer. Please keep the private key for your Synology Router safe and secret.
2. Obtaining a third-party authorized certificate
In order to apply for a certificate issued by a third-party certificate authority, you must first create a certificate signing request (CSR). You can use the certificate wizard to prepare a certificate signing request containing information such as your domain name, organization name, general location, and email address. The request can then be used to apply towards a third-party issued certificate for your Synology Router.
To acquire a certificate from a commercial or third-party certificate authority, you will need to provide your personal or organization's identification, and prove you are the owner of the domain name that was entered in the common name field of the certificate signing request. A third-party certificate authority issued certificate is recommended if your Synology Router will be accessed by unknown users.
To create a certificate signing request:
- Click Create certificate.
- Select Create certificate signing request (CSR) and click Next.
- Follow the instructions of the certificate wizard to create and download the certificate signing request. The downloaded file archive.zip should include two files, server.csr and server.key. You can use the server.csr file to apply for a signed certificate from a third-party certificate authority. The private key server.key is not needed by the certificate authority. Please keep the private key for your Synology Router safe and secret.
Once your certificate has been issued by the certificate authority, it can be imported along with your private key. These two pieces of information together will be used to establish a secure connection with your Synology Router.
To import a certificate:
- Click Import certificate.
- Browse for the following files:
- Private Key: Select the server.key file you generated from the certificate signing request.
- Certificate: Select the signed certificate you received from the certificate authority. The filename should be something like server.crt or yourdomainname.cert.
- Intermediate certificate: This field is optional. If the certificate authority provided an intermediate certificate, please import it here.
- Click OK to finish. You can view a detailed summary under Server certificate.
Note:
- Certificates must be X.509 PEM format.
- Private keys must be RSA format and cannot be passphrase protected.
Alternatively, you can also sign a certificate signing request using the root certificate of your Synology Router. This certificate can be used instead of a third-party certificate authority issued certificate if your Synology Router is only shared between a group of trusted users.
To sign a certificate signing request:
- Click Create certificate.
- Click Sign certificate signing request (CSR).
- Upload the certificate signing request and enter the relevant information.
- Click Next, and the system will sign the certificate request and create a corresponding certificate.
You can then import this certificate along with the private key generated from creating a self-signed certificate. Certificates are effective until their expiration date. When your certificate is about to expire, you can renew it.
To get certificates from Let's Encrypt:
You can get free and secure SSL/TLS certificates automatically from Let's Encrypt, an open and well-trusted certificate authority.
- Click Create certificate.
- Select Get a certificate from Let's Encrypt.
- Specify the following information:
- Domain name: Enter the domain you have registered from the domain provider.
- Email: Enter the email address used for certificate registration.
- Subject alternative name: To allow one certificate to cover multiple domains, enter the other domain names here. You can also apply for a wildcard certificate by entering the domain names of Synology DDNS in the following format:
*.SYNOLOGY_DDNS_DOMAIN_NAME
- Click Apply to save the settings, Once confirmed, the certificate will be instantly imported into your Synology Router.
Note:
- You can only register for certificates from Let's Encrypt with a limited number of email accounts. If the limit is exceeded, use an email account previously registered to get more certificates.
- You can only register for a limited number of certificates per domain from Let's Encrypt. If the limit is exceeded, please do either of the following:
- Enter the current domain name as the Subject Alternative Name (SAN) and use another domain name for the certificate request.
- Enter
*.SYNOLOGY_DDNS_DOMAIN_NAMEas the SAN to apply for a wildcard certificate.
- Let's Encrypt will perform domain validation before issuing certificates for your domains. Please make sure your Synology Router has the port 80 open for domain validation from the Internet. All the other communications with Let's Encrypt go over HTTPS and will keep your Synology Router secure.
- Certificates issued by Let's Encrypt are valid for 90 days. Before the certificates expire, SRM will automatically renew such certificates after successful domain validation. Please make sure your Synology Router has the port 80 open for certificate renewal.
- Wildcard certificates are only supported for Synology DDNS.
To renew a certificate:
- Click Create certificate.
- Select Renew certificate and click Next. A new private key and certificate signing request will be created.
- Click Download to retrieve your new private key and certificate signing request. You can use the new signing request to reapply for another certificate authority signed certificate.