Posted on by Mac User

How to re-key a SSL for a Synology NAS

Here’s a detailed step-by-step guide on how to install a GoDaddy SSL certificate on your Synology NAS, but it can be for any domain provider.

Before you start please make sure you have a compatible Synology model with DSM and that you have already purchased the SSL certificate from your domain provider. This is critical with the correct DSM it won’t work.

✅ Pre-requisites

Before you begin, ensure the following are in place:

  • You own a domain name and have control of its DNS settings. 
  • Your Synology NAS has an FQDN (for example nas.yourdomain.com) and optionally port-forwarding / DDNS is configured (if you’ll access it externally). 
  • You have administrative access to DSM (the Synology DiskStation Manager interface).
  • On your domain site you have purchased an SSL certificate and are ready to provide a CSR (Certificate Signing Request) from your Synology.
  • You are prepared to download the certificate files from your domain provider (certificate + intermediate) and have them ready for import.

Step 1 — Generate a Certificate Signing Request (CSR) on the Synology
Log into DSM as an admin.
Go to Control Panel → Security → Certificate → Settings → Advanced.
Choose Create certificate signing request (CSR).

Complete the form as follows:

FieldValue
Private Key Length2048
Common NameDOMAIN NAME
Emailsupport@your Domain
Country/LocationYour Location
State/ProvinceYour address
CityYour address
OrganizationYour address
Departmentcan be anything
  1. Click Next → DSM generates a CSR and a private key (stored locally).
  2. Copy or export the CSR (text beginning with —–BEGIN CERTIFICATE REQUEST—–).
  3. Save and keep the .key file as this is need later.

Step 2 — Re-Key the Certificate in Your domain Provider (Go Daddy, 123 reg etc)

  1. Log into your Domain Account → My Products → SSL Certificates.
  2. Locate your domain (e.g. yourdomain.co.uk) → click Manage → Re-Key your certificate.
  1. Paste the CSR text generated by the Synology into the CSR field.
  2. Submit the re-key request.
  3. Wait for your domain to issue the new certificate (typically a few minutes).

Step 3 — Download the Certificate Files

  1. Once the certificate shows as Issued, click Download.
  2. For Server Type, select Apache. (IMPORTANT)
  3. Download and extract the ZIP file.
    You’ll receive:
  4. your_domain_co_uk.crt (Certificate, it may also provide the same certificate in a PEM format)
  5. gd_bundle-g2-g1.crt (Intermediate certificates)
    • The first file is your certificate
    • The second is the intermediate CA bundle

Step 4 — Import Certificate into Synology

  1. In DSM: Control Panel → Security → Certificate
  2. Click Add  → Add a new certificate or Replace an existing certificate
    • Private Key:  Synology’s server.key file.
    • Certificate: YOUR DOMAIN PROVIDER .crt or  .pem certificate
    • Intermediate certificate: your domain provider .crt (Similar name to sf_bundle-g2.crt or gd_bundle-g2.crt)
  3. Click OK to import successfully.

Step 5 — Assign the Certificate

  1. Click Configure in the Certificate window.
  2. Assign the newly imported certificate to:
    • DSM (management interface)
    • File Station / WebDAV
    • MailPlus / Reverse Proxy / Other web services
  3. Apply changes.

Step 6 — Verify Installation

  1. Access the NAS via its public URL (e.g. https://files.brakesphotos.co.uk).
  2. Confirm:
    • 🔒 The browser shows a valid padlock.
    • ✅ Certificate is issued by your domain provider / Starfield SHA-2.
    • 🧩 Intermediate chain shows as complete.
  3. Optionally test using:
  4. https://www.ssllabs.com/ssltest/ (your SSL link this one is Go Daddy but it could be anything)

Enter your NAS domain and verify grade A or better.

Troubleshooting

SymptomLikely CauseFix
Invalid private keyCSR not created on same deviceRecreate CSR on the NAS and re-key certificate
Certificate chain incompleteMissing intermediate CARe-import gd_bundle-g2-g1.crt
Still shows old certificateNew cert not assigned to DSMGo to Configure and assign manually
Browser shows not secureDNS mismatch or cached SSLVerify domain name and clear browser cache

Verification & Maintenance

  • Check expiry date in DSM → Security → Certificate.
  • Renew or re-key via GoDaddy at least 30 days before expiry.
  • Document the certificate’s validity period in the internal SSL tracker.

Helpful sites:

Go Daddy Help page for SSL

123 Reg Help page for SSL

Ionos Help Page for SSL