In this guide, you’ll learn how to install an ACME SSL certificate on a Synology NAS using ACME + EAB credentials, then import it into Synology. Once done, your NAS will be running a certificate with automation handled entirely outside DSM (Disk Station Manager).

Synology DSM allows importing SSL certificates directly through the GUI but for commercial ACME certificates (from providers like Sectigo or DigiCert), the best approach is to manage them externally with acme.sh and import them afterward.
Before You Start
Make sure you have the following:
- A domain name pointed to your Synology’s public IP
- DSM 7.x (7.2 recommended for best compatibility) supports full certificate import via GUI.”
- An external Linux host, VPS, or local server where you can install
acme.sh - Access to your certificate provider’s ACME URL and EAB credentials (KID + HMAC)
Step 1: Install acme.sh
Before anything else, you need the ACME client that will handle communication with your CA.
Run these commands on your external host (Linux, BSD, or VPS):
curl https://get.acme.sh | sh
source ~/.bashrc
acme.sh --version
You should see the version printed on screen. That means installation succeeded.
Step 2: Register Your ACME Account with the CA
Your commercial provider (like Sectigo or DigiCert) gives you two credentials: an EAB Key ID and an HMAC Key. These authorize your ACME client.
Once you have them, run this command from the same host:
acme.sh --register-account \
--server https://acme.yourca.com/v2/acme \
--eab-kid YOUR_EAB_KID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
--accountemail [email protected]
Replace the placeholders with your actual credentials.
Step 3: Issue the Certificate with DNS Validation
Now issue your certificate using DNS validation — the safest and most reliable option for NAS devices behind NAT.
Example (manual DNS entry):
acme.sh --issue \
-d yourdomain.com \
--dns dns_manual \
--server https://acme.sectigo.com/v2/OV
You’ll be prompted to create this DNS record:
_acme-challenge.yourdomain.com TXT (token value)
After propagation (check using dig TXT _acme-challenge.yourdomain.com +short), re-run the command to finish validation.
Your certificate files will be saved under: ~/.acme.sh/yourdomain.com/.
Inside that folder you’ll find:
- fullchain.cer — certificate + intermediate chain
- yourdomain.com.key — private key
- ca.cer — root/intermediate (if provided separately)
Step 4: Import the Certificate into Synology
- Log in to DSM > Control Panel > Security > Certificate.
- Click Add > Import Certificate
- Upload your private key and ceritifcate (fullchain.cer)
Once imported, go to Settings and assign the cert to:
- DSM Web Interface
- File Station / Web Station
- Reverse Proxy
- WebDAV / Drive
- SSL VPN (if used)
Your NAS now uses the uploaded SSL certificate.
Step 5: Automate Renewal and Sync to DSM
If you want your Synology NAS to always stay updated with the latest certificate — without logging into DSM or uploading files manually — you can use acme.sh’s built-in synology_dsm deploy hook. This lets acme.sh push renewed certs directly into DSM via HTTPS.
Here’s how to set it up.
1. Configure DSM Credentials (One-Time Setup)
From your external host (where acme.sh is installed), run:
export SYNO_Username="admin"
export SYNO_Password="YourAdminPassword"
export SYNO_Hostname="nas.local"
export SYNO_Port="5001"
Replace the placeholders with your credentials. These values are stored in your shell session, and acme.sh uses them to connect securely.
2. Deploy the Certificate to DSM
After a certificate is issued or renewed, deploy it to DSM using:
acme.sh --deploy \
-d yourdomain.com \
--deploy-hook synology_dsm
This command will:
- Connect to your NAS over HTTPS (port 5001)
- Upload the private key and certificate files
- Replace the current cert in DSM’s Control Panel
- Restart all necessary services (GUI, File Station, WebDAV, etc.)
You can verify the change in DSM > Control Panel > Security > Certificate.
3. Let acme.sh Handle Everything (Auto-Renew + Auto-Deploy)
Good news: acme.sh already installs a cron job that runs daily. If your cert is close to expiration, it will:
- Renew the certificate automatically
- Trigger the
synology_dsmdeploy hook again - Upload the new cert to DSM
- Restart DSM services silently
Once this is set up, everything runs on autopilot. No GUI interaction needed.
Common Questions
Below we cover the most common things users ask after setup:
Can I install and run acme.sh on the NAS itself?
Technically yes (via SSH or Docker), but DSM updates may break dependencies. It’s safer to manage ACME from an external host.
Does Synology automatically update external certificates?
No, DSM won’t pull them automatically. Use the deploy hook or a scheduled script to push updates after each renewal.
Can I use wildcard certificates?
Yes, issue with -d *.yourdomain.com using DNS validation. Sectigo and DigiCert both support wildcards via ACME when enabled in your profile.
Final Words
This setup bridges modern commercial ACME SSL automation with Synology’s ecosystem. You get the benefits of a trusted certificate, full chain control, and external renewals with just a bit of scripting to tie it all together. Once you’ve done it once, you can replicate it easily for other NAS devices, subdomains, or clients.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

