Secure your Synology NAS, install a SSL certificate.Ive been using the default setup on my Synology DS4.HTTPS enabled for a while now but knew it really wasnt all that secure without a proper SSL certificate and creating a self signed certificated isnt all the much better and can be easily forged.I decided it was about time I used a real certificate to better secure the NAS.Install Ca Root Certificate Android Phone' title='Install Ca Root Certificate Android Phone' />Prerequisites before starting.You need to own a domain name, for example Mike.Tabor. com and be able to receive email from the domain name.If you dont already have a webhost for the domain, Id suggest Blue.Host. You also need a DDNS service setup.In this case and for my use, I simply use the Synology DDNS service they offer for free.With those two setup, you will also want to add a CNAME DNS forward from your domain or subdomain if you wish to go that route to your DDNS service.Finally youll want to make sure Port Forwarding has been configured on your router.Getting Started. For me Ill be using a subdomain attached to my domain name for example subdomain.I also purchased the SSL certificate from Name.Cheap Comodo Positive.SSL for just 9. Note Ill be using a Synology DS4.DSM 5. 0u. 1. Log into your Synology and navigate to Control Panel Security Certificate and click on Create Certificate.Select Create certificate signing request CSR and click Next.Now fill out your request form with your information.Private Key Length 2.Name. Cheap SSLCommon Name Enter your domain name in my case Im using a subdomain so I enter subdomain.Email Enter your email address.As will be shown soon, I noticed when I was going to confirm my email address I couldnt use any email address from the domain via Name.Cheap as they used pre selected email addresses.I simply created a forward on my webhosting control panel to forward all email from adminatmiketabor.Once the form has been completely filled out click on Next.Now click on Download.This will download a file called archive.SAVE these filesIntroduction.The procedure in this document is an example and can be used as a guideline with any certificate vendor or your own root certificate server.Download and Install View this page for version 2.After installed APK Downloader, youll need to follow these steps in able to use it.I. Enter email and device.I have created my own CA certificate and now I want to install it on my Android Froyo device HTC Desire Z, so that the device trusts my certificate.Android stores. Issue the SSL Certificate.If you havent already purchased your SSL, go ahead and do so.Once purchased Im assuming you also purchased from Name.Cheap log into your Neam.Cheap control panel and click on Issue next to your newly purchased SSL cert.In the Digital Certificate Order Form page select Other from the Select Web Server drop down menu.Then open the server.Enter CSR field. The next screen Name.Cheap will give you a list of email addresses which can be used to approve the certificate request.Select an email address and click Next.Note As mentioned above I dont use any of these pre selected email addresses so I simply created a forward to my main email address in my web hosting control panel for the time being.In a few minutes you should receive an email from Comodo that contains a link and a validation code.Click on the link and enter the validation code and click Next.A few minutes after you confirm the validation code youll receive another email from Comodo with an ZIP file attachment, extract the file somewhere safe Import the SSL Certificate.Go back to your Synology and navigate to Control Panel Security Certificate and click on Import Certificate.Browse and import the following files for each field.Private Key Server.Getting Started, Step 4Certificate domaincom.Comodo. zip file in emailIntermediate certificate Positive.SSLCA2. crt also received from Comodo zip file Then click on Next.Your Synology webserver will now restart which should only take a few seconds.Your Synology control panel certificates page will look like this Redirect HTTP requests to HTTPSTo finish up well want to make sure that any HTTP request the Synology receives is redirected to HTTPS and thus ensuring each time you access your Synology DSM its being protected by the SSL certificate.Within the Synology DSM navigate to Control Panel Network DSM Settings.Place a check in the following check boxes Enable HTTPS connection and Automatically redirect HTTP connections to HTTPS.Also worth enabling is SPDY which can make loading the page faster and HSTS which ensures browsers use the secured connection.Then click on Apply.Note This step is also a good time to change your port number if you wish Id recommend doing so as an added layer of security, just be sure to update your router port forwarding rules.Safe and secure Now simply try to access your NAS using your domainsubdomain example subdomain.SSL cert in your browser.Thats it Below Ive included some extra information based on the questions Ive received in the comments and email.Adding a CNAME in c.Panel. Ive been asked several times how to add a CNAME to a web host. Everything You Were Taught About The Civil War Is Wrong Ask A Southerner . The process is going to vary from web host to web host as it all depends on what control panel your web host uses, if any.In this case Ill show you how to add a CNAME using one of the most common control panels and thats WHMc.Panel. Blue. Host is an incredibly easy web host that also uses c.Panel which means the below steps will work perfectly.So if you dont already have a webhost, check out Blue.How to configure CA certificates for i.Pad and i. Phone.Apple i. Pads and i.Phones can communicate with back end servers securely in many ways, but IT has to configure the devices to accept valid CA certificates.Luckily, there are many different methods for adding the certificates to i.OS devices. Every secure connection to the network starts with authentication to verify the servers identity.Most i. Pads and i.Phones are configured to accept valid certificates issued by a trusted certification authority CA so the devices can tell which network servers are legitimate.IT needs to follow a few simple steps to configure CA certificates for i.Pads and i. Phones.What are CA certificates X.Each certificate binds the subject identity for instance, the servers hostname or IP address to a public or private key pair.The subjects identity and public key are included in the certificate, along with the issuing CAs name and signature.CAs are responsible for confirming subject identity before issuing requested CA certificates.They are also responsible for renewing and when appropriate revoking certificates.In effect, CAs operate like passport offices, handing out official passports to authorized individuals who have proven their identity.Once a person has been issued a passport or a server has been issued a certificate these credentials can be presented with a signature as proof of identity.This kind of CA certificate validation occurs every time a user browses a Secure Sockets Layer protected website.When validating the Web servers certificate, the browser also checks the issuing CAs signature.This check usually passes because public facing websites tend to have CA certificates from one of the trusted root CAs that are configured by default into every operating system.The importance of trusted CA certificates.CA certificates from trusted root CAs are essential for public facing servers such as e commerce sites, but many companies prefer to use their own CA to issue certificates to corporate email, Web, virtual private network VPN and other servers not intended for public use.Applications running on i.Pads and i. Phones can authenticate corporate servers using privately issued certificates that are given instructions to trust them.One high risk option is to simply let users accept unknown CA certificates.By making such exceptions, however, users can fall for self signed certificates and those issued by untrustworthy CAs, exposing devices not just once but forevermore to a litany of man in the middle attacks.A far better option is for IT to explicitly add a trusted CA certificate to employee devices, configuring applications to recognize and trust servers that prove their identity using your companys CA certificates.In this way, IT can permit secure connections to trustworthy servers without throwing the door wide open.Adding CA certificates to i.Pads and i. Phones.All Apple i. Pads and i.Phones support PKCS1 formatted X.You can use these certificates to identify CAs, servers or individual users and devices.Heres how to add CA certificates used during enterprise Web, email, VPN or wireless LAN WLAN server authentication Email distribution The least secure method is to simply email your trusted CA certificates to employees.Any user that clicks on this attachment launches an Install Profile dialog that warns that the CA certificate about to be installed is not trusted.If the user clicks Install, he will be further warned that the authenticity of the subject cannot be verified and that installing the profile will add it to the list of trusted certificates on that i.Pad or i. Phone. When using this method, counsel users to make a one time exception and never install any other CA certificates, even if they appear to be from the IT department.Web distribution Direct employees to a Web page where your CA certificate is posted.Any user who clicks on the certificate file URL will launch a dialog similar to that described above.Although this method is also vulnerable to phishing, it can be strengthened by hosting the CA certificate on a secure website, and you can advise users to ensure that they reach the legitimate website before downloading your certificate by logging into a corporate Web portal first, for example.Configuration profiles A more automated and robust method of adding CA certificates is to usei.OS configuration profiles.Configuration profiles are files that deliver settings to i.OS devices. Each profile consists of XML formatted payloads, which include the certificates and the settings for applications that use those certificates.No matter how profiles are deployed, their XML payload content has the same format.Three types of profile payloads carry certificate settings Exchange Payloads, which are used to configure Transport Layer Security TLS protected email access Internet Protocol Security VPN payloads, which are for configuring certificate authenticated VPN access and Wi Fi Payloads, which are used to configure Extensible Authentication Protocol authenticated WLAN access.A list of TLS Trusted Server Names may also be included to tell i.OS devices specifically which WLAN servers they should trust, and allow.Untrusted. TLSPrompt may be included in profiles to stop users from accepting connections to untrusted HTTPS servers.Simple Certificate Enrollment Protocol SCEP Another scalable, robust method of adding CA certificates is SCEP.Apple i. OS devices can use SCEP to remotely request certificates from your companys CA for subsequent device and user authentication, including enrollment with your companys mobile device management MDM server.You can associate any certificates obtained via SCEP with Exchange, VPN or Wi Fi configuration payloads described above, and its done by including SCEP Payloads in configuration profiles to retrieve client certificates from SCEP servers.A SCEP payload includes your companys SCEP server URL, along with any optional values such as the name of the CA and the clients X.Once a CA certificate is added to an i.Phone or i. Pad, it can be removed at any time, either by MDM or by users themselves.The i. OS operating system also uses the Online Certificate Status Protocol OCSP to check for possible revocation of OSCP enabled certificates.Organizations that intend to issue certificates from their own CA should consider supporting OCSP for on going management of trust relationships.