How to Install an ACME SSL Certificate on a Synology NAS?

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...
Synology NAS ACME SSL Configuration

Using a commercial ACME SSL certificate to secure your Synology NAS will allow you to automate obtaining, issuing, and renewing your SSL certificates while still allowing you to control which validation methods you are going to use to obtain your certificates and which Certificate Authorities (CAs) to use for obtaining them.

DiskStation Manager (DSM) does include a built-in way to obtain and renew Let’s Encrypt certificates; however, many organizations require that they obtain and use commercial ACME certificates from a third-party provider like Sectigo or DigiCert that support EAB (External Account Binding).

In this tutorial, we will show you how to issue an SSL certificate using acme.sh and your EAB credentials and how to either import or automatically deploy the issued SSL certificate to your Synology NAS.

Prerequisites

Before you begin, ensure you have the following:

  • Your NAS must be pointed by a domain name.
  • Your NAS must be running DSM 7.x (7.2 or above is preferred).
  • You need a VPS/External Linux host to run acme.sh on.
  • You will require the ACME directory URL of your certificate issuer.
  • EAB credentials are required (i.e. your Key ID and HMAC key).
  • You will need administrative access to your DSM.

Steps to Install an ACME SSL Certificate on Synology NAS 

Step 1: Install acme.sh 

Install ACME client using external Linux or VPS hosts.  

curl https://get.acme.sh | sh 
source ~/.bashrc 
acme.sh --version 

If version number appears, then you have successfully installed.  

Step 2: Register Your ACME Account with EAB 

Commercial ACME providers require external account binding to authenticate users to their services.  

Run the following command: 

acme.sh --register-account \ 
--server https://acme.yourca.com/v2/acme \ 
--eab-kid YOUR_EAB_KID \ 
--eab-hmac-key YOUR_EAB_HMAC_KEY \ 
--accountemail [email protected] 

Replace the placeholders with the values given to you by your Certificate Authority.  

Step 3: Issue the Certificate Using DNS Validation 

You need DNS validation (DNS-01) for NAS devices on networks with a router/firewall between client and server. 

Example: 

acme.sh --issue \ 
-d yourdomain.com \ 
--dns dns_manual \ 
--server https://acme.sectigo.com/v2/OV 

You will be prompted to create a TXT record: 

_acme-challenge.yourdomain.com  TXT  <token> 

After DNS propagation, verify using: 

dig TXT _acme-challenge.yourdomain.com +short 

Re-run the issue command to complete validation. Certificate files will be stored in: 

~/.acme.sh/yourdomain.com/ 

Important files include: 

  • fullchain.cer – certificate and intermediate chain 
  • yourdomain.com.key – private key 

Step 4: Import the Certificate into DSM 

  • Log in to DSM
  • Navigate to Control Panel → Security → Certificate
  • Click Add → Import Certificate
  • Upload the private key and fullchain.cer. 

After importing, assign the certificate to services such as: 

  • DSM Web Interface 
  • Reverse Proxy 
  • WebDAV 
  • Synology Drive 
  • VPN services (if used) 

The NAS will now use the imported SSL certificate. 

Step 5: Automate Renewal and Deployment (Optional) 

To avoid manual uploads during renewal, use the built-in synology_dsm deploy hook in acme.sh. 

First, configure DSM credentials: 

export SYNO_Username="certuser" 
export SYNO_Password="StrongPassword" 
export SYNO_Hostname="nas.local" 
export SYNO_Port="5001" 

Then deploy the certificate: 

acme.sh --deploy \ 
  -d yourdomain.com \ 
  --deploy-hook synology_dsm 

Once installed, acme.sh creates a daily cron job that checks whether your certificate is due for renewal and automatically takes care of the following tasks

  • Certificate Renewal 
  • Deployment to DSM 
  • Restarting needed services 

The result is a certificate on your Synology NAS that is regularly renewed without you having to do anything! 

Conclusion 

Our team provides fast, competitive pricing and expert support for setting up ACME, whether you’re looking for DV, OV, EV, and/or wildcard. Sign up now at CheapSSLWeb and make SSL easy for good business-class security with automated processes at reliable prices. 

Secure your Site Now

Enable HTTPs on your Website by Purchasing SSL, Generate CSR and Install on your Web Server.

Starts at Just $3.99/Yr
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast having 7+ years of experience and knowledge about Encryption, Digital Certificates and Online Security, She helps online users to stay safe and protect their online presence. Explore SSL Errors, Installation Guide and Security Tutorials for Safe Browsing and Web Security Experience.