Provisioning custom SSL CA and Server Certificate to Synology Diskstation
Why
Why bother to begin with?
Browsers don’t’ like self-signed certificates, and it’s a pain to trust each certificate on each system. In addition, some browsers are stubborn enough to keep always asking for security exceptions. More in-depth pros and cons are described here: Creating Self-Signed Certificate Authority to issue SSL certificates using Certificate Assistant on macOS
Why not use a commercial certificate?
Money.
Why not use LetsEncrypt?
Using LE requires one of the following to happen:
- Hosting a webserver to the world to facilitate renewals: securing, monitoring, and patching it is not something I’m looking forward to.
- Using Synology DDNS which performs DNS-based validation for LE: I’d like to use my domain instead.
- DNS-based validation: LE supports DNS validation for several providers that support API to manipulate TXT records. My DNS provider, Google Domains, is not one of them. At this time I’m not looking forward to moving away from Google Domains for various reasons.
But more importantly, LetsEncrypt can only work for FQDN that LE can verify. It will not work for LAN IP address, or hostname, or local DNS name, making it a complete no-go.
Configuration
Prerequisites
Follow the guide to create a CA and issue a new SSL Server certificate to be used on your Diskstation if you don’t have one. Make sure to specify all possible FQDNs your Diskstation could be reached at: such as synobox.local, synobox.synology.me, synobox.yourdomain.com, etc
Export the following items from your keychain:
- Your CA Certificate:
ca.pem
- SSL Server Certificate:
server.pem
- SSL Server Private key:
server.p12
If you exported certificates in .cer
format, use openssl
to convert those to plaintext .pem
:
openssl x509 -inform der -in certificate.cer -out certificate.pem
While at it, extract the private key into a plaintext file as well:
openssl pkcs12 -in server.p12 -nodes -out server.key -nocerts
TLDR
These two points were not obvious to me:
- Specify your CA certificate in place of “Intermediate Certificate” when importing server SSL certificate. There is no (supported) way to import CA alone.
- After assigning a new server certificate to the VPN Server package you will need to provide your clients with updated certificates. The easiest way would be to export the OpenVPN configuration again and merge your changes or just replace the entire certificate chain in the existing .ovpn file with your CA certificate.
Import certificates to DSM
- Go to
Control Panel
,Security
,Certificate
- Click
Add
and selectAdd a new certificate
- Write a description in the box above. It’s very handy and you cannot add it later; this is the only chance.
- Select
Import certificate
and clickNext
server.key
goes to thePrivate Key
fieldserver.pem
goes to theCertificate
fieldca.pem
goes to theIntermediate Certificate
field
Reconfigure services
Click Configure
and select the new certificate for your services.
If you change the certificate for OpenVPN Server you also need to re-deploy the client .ovpn
files. You can export a new set and add your changes on top, or easier would be to just replace the certificates located in the .ovpn
file with the single CA certificate enclosed in <ca>/</ca>
tags.
You may also find useful this Handy guide for OpenVPN configuration for Split Tunnel mode on Synology Diskstation.