How do I enable HTTPS and create a certificate signing request on my Synology Unified Controller?
How do I enable HTTPS and create a certificate signing request on my Synology Unified Controller?
Purpose
HTTPS (Hypertext Transfer Protocol Secure) can be used to encrypt and secure network communication between your Synology Unified Controller and other devices, protecting against eavesdropping or other attacks. This article shows how to enable HTTPS on your Synology Unified Controller as well as provides steps to create a certificate signing request (CSR) for securing your network communication. The certificate signing request can be used to obtain a third-party digital identity certificate.
Resolution
Why use HTTPS?
Many organizations and services implement HTTPS and digital identity certificates to make sure that sensitive data, like passwords and credit card information, is encrypted and secured when transferred over the Internet or other networks. HTTPS encrypts data transferred between the organization's server and the user's computer, ensuring that malicious third parties will not be able to intercept and view the transferred data. Certificates authenticate the organization's server and allow the user's computer to know whether the server truly belongs to the organization.
If a website is secured with HTTPS and possesses a trusted certificate, a green lock usually appears in most browsers.
Connect via HTTPS
- Sign in to DSM UC using an account belonging to the administrators group.
- Go to Control Panel > Network > Connection Settings.
- Tick the Automatically redirect HTTP connections to HTTPS checkbox. The default HTTPS value is 5001.1
- Click Apply.
- Once the settings have been applied, you can connect to the system via HTTPS. Open a browser and enter https://yourdomainname: followed by your HTTPS value. "yourdomainname" is the server name or registered domain name used for accessing Synology Unified Controller.
Create a certificate signing request and import a signed certificate
When connecting to Synology Unified Controller via HTTPS, you may encounter a warning screen similar to the one in the image below. This warning appears when the web browser requires a third-party certificate to verify the identity of Synology Unified Controller while the browser does not trust the default certificate used by Synology Unified Controller.
You can avoid the above warning by adding the domain as a security exception, allowing you to access the system normally. However, to verify the identity of Synology Unified Controller and ensure the connection is truly secured, you will need a third-party certificate from a trusted certificate authority.
To obtain a third-party certificate for your Synology Unified Controller, please make sure you have a registered domain name.
To create a certificate signing request (CSR):
- Some certificate authorities might require a certificate signing request (CSR) when you apply for a certificate. If so, you can easily create one by going to DSM UC > Control Panel > Security > Certificate, and click the CSR button.
- Enter your information for the certificate signing request. Once all of the information is entered, click Next and the system will create a certificate signing request.
- In the Common name field, enter the domain name for accessing your Synology Unified Controller.
- In the Email field, enter the email address for the domain name.
- Click Download to proceed.
- A file called archive.zip will be downloaded to your computer. It should contain two files — server.csr and server.key. Keep both of these files in a safe place on your computer.
- At this point, you can use the server.csr file to apply for a signed certificate from a third-party certificate authority. The procedure and expenses required will differ depending on the certificate authority. For more information, please consult the certificate authority directly.
To import a signed certificate into the system:
- After successfully obtaining a signed certificate from a certificate authority, go to DSM UC > Control Panel > Security > Certificate and click the Replace button.
- Select a controller and click Next to continue.
- Select Import certificate and then click Next.
- Click Browse to import the following files:
- Private Key: Select the server.key file that you saved on your computer earlier.2
- Certificate: Select the signed certificate that you received from the certificate authority. The file name should resemble yourdomainname.pem.2
- Intermediate Certificate: This field is optional. If the certificate authority has provided an intermediate certificate, please import it here.
- Click OK and the signed certificate should be successfully imported.
Notes:
- A port access number must be entered to connect via HTTPS. By default, the port used for HTTPS is 5001. If you have enabled the option to automatically redirect to HTTPS, then entering the port number is not necessary as it will redirect automatically.
- Make sure to keep your private key and certificate files in a safe place as you may need these files when updating or changing servers.