I recently made an addition to my setup in the form of a Synology DS716+ii NAS – I’ll probably write some more posts about it in the near future but for now I want to cover how I replaced the default SSL/TLS certificate it uses with one issued by my pfSense system. My home computer and any other device that I use has the pfSense certificate authority added to the trusted certificate authority (CA) list which means any certificate issued by it will be trusted by my systems. This is really handy and helps my get away from all those annoying alerts that self-signed certificates generate. I could of course add each of those individual certs to my trusted list but I much prefer to have a certificate authority that I can trust once and manage issuance from.
Having connected to my Synology NAS I opened the ‘Control Panel’ applet and browsed to the ‘Security’ menu. There is a default certificate which the device will create itself, we can see that it is a self-signed certificate by clicking the down arrow.
Now you could of course just ignore the certificate alerts or perhaps you don’t connect to your NAS over a HTTPS connection but considering I spend a lot of time shouting at work to ‘HTTPS all the things’ and have a general hate for certificate alerts this isn’t an option. The first thing to do is create a new certificate and import it to the NAS. You could generate a certificate signing request (CSR) on the NAS and then submit that to a CA. In this instance I’m actually going to create the certificate on my pfSense appliance and then export the public/private keys and the root certificate and then import those into the NAS.
The certificate manager menu on pfSense can be found as below –
The first thing to do is export out the pfSense CA certificate as we will need this as part of the chain for the Synology import. Clicking the icon indicated in the screenshot below will prompt you to save the file.
Next we will create a new certificate which can then be exported. The ‘Certificates’ menu as the name suggests is the place to go, then it’s a case of populating the various fields. If you are uncertain just mirror my settings and amend the common and alternative names to reflect your own.
Once we have saved this certificate it’s time to export it and the private key.
Now that we have the root certificate and our newly generated one (along with the private key) it’s time to jump onto the Synology NAS and import them all.
Now it’s time to select the exported files.
All being well we should have a new certificate in the list.
Finally we need to tell the NAS to use our newly import certificate – the ‘Configure’ button will open a new menu and we can use the drop down menus to select our imported certificate.
Once we click ‘OK’ the NAS will restart the various services necessary and a reload of the browser window should result in that wonderful green text that we all love so dearly.
There are many ways to achieve the above as is usually the case – this just happens to be how I chose to carry out the work tonight.