Synology usage series 24 – Adding free and valid SSL certificate to diskstation with startssl.com


Renew account certificate and web server certificate

Last Update Jan 12 2014

Free Class 1 SSL certificate expires every year. So the procedures below is a yearly task unless you want to discard the SSL certificate.

In order to login the control panel, the browser need to have the certificate installed.

Firefox – import certificate

Click Tools > Options. A popup will be shown. Click ‘Advanced‘ tab, then click ‘Certificates‘ tab.

Click ‘View Certificates‘ button, the certificates manager window will be shown.

Click Import button. A file picker will be shown.

Select the p12 file you downloaded from startssl a year ago. Then input the associated password of the p12 certificate.

If password is correct, the success message will be shown.

Renew browser certificate and web server certificate

Open a browser and navigate to https://www.startssl.com/. Click Authenticate button.

The control panel page will be shown. From the right side menu, click the ‘+‘ icon next to Email Validations.

Check if the email associated with your ssl domain is listed. If not listed, click the Validations Wizard tab.

In the Type list box, select ‘Email Address Validation‘. Then click ‘Continue‘ button.

Input your email address then click Continue button again.

Check you email and grab the validation code. Copy and paste the validation code back to the validation page.

From the right side menu, click the ‘+’ icon next to Domain Validations.

Check if the domain associated with your ssl domain is listed. If not listed, click the Validations Wizard tab.

In the Type list box, select ‘Domain Name Validation‘.

Input your domain name and then click the Continue button.

Pick one of the valid email address, then click Continue button.

Check your mailbox of the picked email address, copy and paste the validation code back to the validation page.

Once we got the email and domain verified, you can go ahead to renew our certificates.

Click the ‘Certificates Wizard‘, select S/MINE Authentication Certificate. Click Continue button.

Select ‘High Grade‘ then click Continue button.

Follow the wizard to download the new p12 certificate for your browser.

To import the new p12 certificate, repeat earlier section to import the certificate to your browser.

To renew web server certificate, click the ‘Certificates Wizard‘, select Web Server SSL/TLS Certificate. Click Continue button.

Click ‘Skip‘ button.

Now SSH/telnet to your Diskstation which will install the new certificate.

To generate a CSR, input the command below. You will need the ssl.key generated a year ago. If you lost if or already forgot the passphrase of the private key, generate a new one (procedures same as initial setup, see page 1).

openssl req -sha1 -nodes -new -key ssl.key -out ssl.csr

$ Enter pass phrase for ssl.key: (Input the same passphrase here)
$ Country Name (2 letter code) [AU]: (Input prefix of the country)
$ State or Province Name (full name) [Some-State]: (Input State or Province name)
$ Locality Name (eg, city) []: (Input City)
$ Organization Name (eg, company) : (Input The name of your company)
$ Organizational Unit Name (eg, section) []: (Input unit name)
$ Common Name (eg, YOUR name) []: (Input the domain name of your diskstation, i.e. ds207p.mydomain.com)
$ Email Address []: (your email address)
$ Please enter the following ‘extra’ attributes to be sent with your certificate request
$ A challenge password []: (Just press enter)
$ An optional company name []: (Just press enter)

Now the file ssl.csr is generated.

Copy and paste the content of the ssl.csr into the big text area of the form.

Click Continue button.

Click Continue button.

Select the domain that you validated in earlier section. Click Continue button.

Input your preferred sub-domain the click Continue button.

Review the information, click Continue button to confirm.

Now wait for startssl verification email.

Once you received the verification complete email, get back to the startssl control panel, a new certificate should be shown as below.

To download the new certificate, click Tool Box tab. Then click Retrieve Certificate hyperlink.

From the certificate listbox, a new certificate will new expiry date (one year later) will be shown.

Select the new SSL/TLS certificate and then click Continue button.

Copy the content of the textbox and paste to ssl.crt.

Install the new certificate to DS web server

Login to DS console as admin. Go to Control Panel > Network Services > Web Services.

Click HTTP Service, then click certificate.

As shown in the Certificate window, the certificate is about to expire.

Click Import Certificate button. A popup will be shown.

For private Key, click Browse button and select ssl.nopp.key (not ssl.key).

For Certificate, click Browse button and select the new ssl.crt that we just created.

Click OK vbutton.

Reload the Certificate page, the certificate should be renew’ed with new expiry date.





3 thoughts


  1. Hi there, thanks for your thorough step my step on this as it’s exactly what I wanted.
    My problem is that I do not have a valid domain as I was planning on using the new Synology DDNS subdomain. Can adding a SSL to my diskstaion still be done whilst using that subdomain? startssl wont accept subdomain validations

    thanks!

  2. Hi i need urgent help, is start SSL is ok to use for commercial purpose…will it be configured on domain providr or Hosting provider… i am using crazy domain hosting and their customr care suck….i am running from piller to post for the installation… can i directly do it ..if yes ..how do i login to my server

    • 1. I’m not sure if StartSSL allow commercial use of their free cert, please check with their customer support.
      2. Pretty sure the free cert from StartSSL can deploy to your hosting provider. In case you are using shared hosting, you probably need to ask for help from the helpdesk and have them deploy the cert for you. Again, check with the CS of your hosting provider.
      3. If you are not comfortable with your existing provider you may consider switching one.

Leave a Reply

Your email address will not be published. Required fields are marked *