Synology usage series 24 – Adding free and valid SSL certificate to diskstation with startssl.com


Original content from synology forum http://forum.synology.com/enu/viewtopic.php?f=36&t=21704.

Spain Translation by ricardocruz.es.

Copied here with more details, includes screenshot. Procedures is 99% the same. Only one openssl command is modified because startssl.com no longer accept MD5 csr.

Visit original thread for latest update.

Create an account from startssl.com and setup domain validation

  1. Use firefox to navigate to www.startssl.com
  2. Click ‘Sign up for free’

  3. Fill in the sign up form with real information, your certificate will be voided once your data provided is found fake.

  4. An vertification email will be sent to your email address, read your email and input the verification code.
  5. An certificate will be installed to firefox for account authenticate purpose.
  6. Backup the certificate from firefox, click ‘Tools’ menu / ‘Options’ / ‘Advanced’ / ‘Encryption’ / ‘View Certificate’

  7. Click ‘Your Certificates’, select the certificate deployed by startssl.com and then click ‘Backup’ button, save the certificate to some location. This step is very important and make sure you keep the backup safe, if you lost the certificate, you lost your account.

  8. Once the account creation is completed, restart firefox and navigate to startssl.com again.
  9. Click ‘Control Panel’
  10. Click ‘Authenticate’, a pop up window will be shown, click ‘ok’.

    You will redirect back to the control panel.

  11. Click ‘Validation wizard’, select ‘Domain name validation’ type then click Continue button.

  12. Input your domain name and then click ‘Continue’ button.

  13. A list of possible email addresses associated with your domain name is shown. Select an email address for verification of domain ownership. Click ‘Continue’ button.

  14. Login to the mailbox, grab the verification code and then input to the verification page.

Generate private key and certificate submit request with DiskStation

Now we got a working account startssl.com, continue the setup with DS207+. Before the setup, we need to pick a private samba share to store the private key and certificate generated by the diskstation, for example, a samba share named ‘private‘ is picked and the path of the share is /volume1/private.

SSH to the diskstation as root and perform the commands below

  1. cd /usr/syno/
  2. mkdir ssl
  3. cd ssl
  4. wget http://123adm.free.fr/home/pages/documents/syno-cert_fichiers/openssl.cnf
  5. mkidr /volume1/private/ssl
  6. cd /volume1/private/ssl
  7. openssl genrsa -des3 -out ssl.key 2048

    A passphrase is asked, make sure you remember the passphrase. The private key ssl.key will be generated to /volume1/private/ssl

  8. openssl rsa -in ssl.key -out ssl.nopp.key
  9. openssl req -sha1 -nodes -new -key ssl.key -out ssl.csr

    $ Enter pass phrase for ssl.key: (Input the same passphrase here)
    $ Country Name (2 letter code) [AU]: (Input prefix of the country)
    $ State or Province Name (full name) [Some-State]: (Input State or Province name)
    $ Locality Name (eg, city) []: (Input City)
    $ Organization Name (eg, company) : (Input The name of your company)
    $ Organizational Unit Name (eg, section) []: (Input unit name)
    $ Common Name (eg, YOUR name) []: (Input the domain name of your diskstation, i.e. ds207p.mydomain.com)
    $ Email Address []: (your email address)
    $ Please enter the following ‘extra’ attributes to be sent with your certificate request
    $ A challenge password []: (Just press enter)
    $ An optional company name []: (Just press enter)

Now the file ssl.csr is generated. The setup of Diskstation is temporary done. Go back to the firefox and login to startssl.com.

Create certificate for diskstation from startssl.com

  1. Login to startssl.com using firefox.
  2. Make sure domain validation is already completed before continue.
  3. Click ‘Certificates Wizards’
  4. Certificates Target, select ‘Web Server SSL/TLS Certificate’ and click ‘Continue’ button.

  5. In the ‘Generate Private Key’ screen, just click the ‘Skip’ button.

  6. Now in the ‘Submit Certificate Request (CSR) screen, use notepad to open the ssl.csr file, copy and paste the content of ssl.csr to the textbox, then click ‘Continue’ button again.

  7. In the ‘Certificate Request Received’ screen, just click the ‘Continue’ button.
  8. In the ‘Add Domain’ screen, input the subdomain assign for your diskstation, example ds207p.mydomain.com, then input ds207p here. Click ‘Continue’ button for next screen.
  9. In the ‘Ready Processing Certificate’ screen, click the ‘Continue’ again.
  10. In the ‘Save Certificate’ screen, copy the content shown in the textbox, paste the content to notepad and then save it as ssl.crt. You should save it to the private share that we previously picked.
  11. Also save the intermediate (sub.class1.server.ca.pem) and root CA certificates (ca.pem) to the private share as well. (Just highlight the link, right click and select ‘save hyperlink as’.
  12. Once the 3 files is saved, click the ‘Finish’ button.

Setup Apache and Import the certificate to Diskstation

Now startssl.com is done, we go back to the diskstation and finish the setup.

  1. Open a browser and login to the Synology Station Manager with your admin account.
  2. Go to ‘Management’ / ‘Network Services’ / Web Services’

  3. Click the option ‘Enable HTTPS connection’.

  4. Click the ‘Import Certificate’ button.
  5. For ‘Private Key:’, select the ssl.nopp.key from the private share. For ‘Certificate’, select the ssl.crt file. Click ‘OK’ button.

Done!! The diskstation is encrypted with your own, valid but free certificate!! No more reminder when browsing diskstation using https now.

Backward support for legacy browser and mobile phone In order to support some legacy browser or mobile phone, we need to adding the root and intermediate CA certificate to the Diskstation manually. If all the browsers in your orgainization already recognize startssl.com as a valid Certificate Authority, then you might skip this section.

(Noted: if you are going to install Synopass server package, procedures below are mandatory)

  1. SSH to the diskstation as root
  2. cd /volume1/private/ssl
  3. mkdir /usr/syno/etc/ssl/ssl.root
  4. cp ca.pem /usr/syno/etc/ssl/ssl.root/

    cp sub.class1.server.ca.pem /usr/syno/etc/ssl/ssl.root
  5. chown root:root /usr/syno/etc/ssl/ssl.root/*.pem

    chmod 400 /usr/syno/etc/ssl/ssl.root/*.pem
  6. vi /usr/syno/apache/conf/extra/httpd-ssl.conf-user

    Look for the line below

    #SSLCertificateChainFile /usr/syno/apache/conf/server-ca.crt

    Insert the line below

    SSLCertificateChainFile /usr/syno/etc/ssl/ssl.root/sub.class1.server.ca.pem

    Look for another line below

    #SSLCACertificateFile /usr/syno/apache/conf/ssl.crt/ca-bundle.crt

    Insert the line below

    SSLCACertificateFile /usr/syno/etc/ssl/ssl.root/ca.pem

  7. Save the file.
  8. Repeat the same steps for the file /usr/syno/apache/conf/extra/httpd-ssl.conf-sys
  9. Restart the apache as below

    # /usr/syno/etc/rc.d/S97apache-user.sh restart

    # /usr/syno/etc/rc.d/S97apache-sys.sh restart



Done. Now I can visit my DS using https without all the browser warning!!





3 thoughts


  1. Hi there, thanks for your thorough step my step on this as it’s exactly what I wanted.
    My problem is that I do not have a valid domain as I was planning on using the new Synology DDNS subdomain. Can adding a SSL to my diskstaion still be done whilst using that subdomain? startssl wont accept subdomain validations

    thanks!

  2. Hi i need urgent help, is start SSL is ok to use for commercial purpose…will it be configured on domain providr or Hosting provider… i am using crazy domain hosting and their customr care suck….i am running from piller to post for the installation… can i directly do it ..if yes ..how do i login to my server

    • 1. I’m not sure if StartSSL allow commercial use of their free cert, please check with their customer support.
      2. Pretty sure the free cert from StartSSL can deploy to your hosting provider. In case you are using shared hosting, you probably need to ask for help from the helpdesk and have them deploy the cert for you. Again, check with the CS of your hosting provider.
      3. If you are not comfortable with your existing provider you may consider switching one.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>