9

I am looking for a way to import a root certificate in a Synology server (the certificate comes from a ssl intercepting proxy).

I have copied the certificate to

/usr/share/ca-certificates/<somesubfolder>

And changed the permissions to 744 and owner to root:root. Then I made a symlink to the cert in

/etc/ssl/certs

This didn't change a thing, so I additionally modified the file

/etc/ca-certificates.conf

And added the line:

<somesubfolder>/<certfile.crt>

Again, this didn't change the behaviour, still no connection possible to the outside world. Any ideas?

Giacomo1968
  • 58,727
Christian
  • 501

5 Answers5

4

For Synology DSM 7 this is the proper way to install your private CA certificates:

  • Copy the ca certs ending in .crt in the directory: /var/db/ca-certificates and change (chmod) permissions of the certs to 644.
  • Then execute the script provided by synology: update-ca-certificates.sh
  • Reboot
  • Enjoy!
flou
  • 41
4

On DSM 7.2 the script /usr/syno/bin/update-ca-certificates.sh exists to re-create content of /etc/ssl/certs.

It allows to add your own certificates as .crt to /usr/syno/etc/security-profile/ca-bundle-profile/ca-certificates/. These certificates will be recognized when running the script.

That directory doesn't exist by default, so create it if missing. Haven't found an official way to get it created yet (2024-02).

Maddes
  • 181
3

Okay, thanks to Spiff I could solve the problem. Here is what I did:

  1. Copy the cert (with ending .crt) to /usr/share/ca-certificates/randomsubfolder/

  2. Import the cert in the list of all root-ca-certs:

    sudo sh -c 'cat /usr/share/ca-certificates/randomsubfolder/cert >> /etc/ssl/certs/ca-certificates.crt'

Note: This is not officially supported by synology. A future DSM Update could restore the list of root-ca-certs to default and then you'd have to import the cert again.

Community
  • 1
Christian
  • 501
1

I'm on DiskStation 7.2 and none of these solutions worked for me. What ultimately did work was this: I had my firewall CA certificate in PEM format, I copied the contents of the file to the /etc/ssl/certs/ca-certificates.crt file. After a reboot it worked.

Make a backup copy first

cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.backup

Edit the contents of the ca-certificates.crt file and append the contents of your CA certificate.

sudo vi /etc/ssl/certs/ca-certificates.crt
LukeShootsThings
  • 11
0

In Debian / Ubuntu we use update-ca-certficates to add certificates. The thing is that update-ca-certficates is a shell script and nothing prevents it to work on Synology too. To achieve that you need to do the following:

  1. SSH into Synology
  2. Get update-ca-certficates from debian sources
sudo wget -O /usr/sbin/update-ca-certificates https://sources.debian.org/data/main/c/ca-certificates/20211016/sbin/update-ca-certificates
sudo chmod +x /usr/sbin/update-ca-certificates
  1. Create directory for additional certificates and copy your certificate in it
sudo mkdir -p /usr/local/share/ca-certificates
sudo chmod 755 /usr/local/share/ca-certificates
sudo cp /path/to/your/certificate.crt /usr/local/share/ca-certificates
sudo chmod 644 /usr/local/share/ca-certificates/*.crt
  1. Call update-ca-certificates
sudo update-ca-certificates

After running the script you should see:

1 added, 0 removed; done.

The benefit of this approach is that you can call update-ca-certificates from Synology's Task Scheduler on boot, this should allow the certificates to survive DSM updates.

Dmitry
  • 101
  • 3