This tutorial shows you how to generate a CSR (Certificate Signing Request) on a Synology NAS running DSM 7 (DSM 7.2.x, the current line). The wizard inside DiskStation Manager creates a PKCS #10 request and a matching private key in one step, then downloads both as a ZIP file you keep on your computer. You submit the .csr file to your Certificate Authority and import the issued certificate back into DSM together with the original key.
If you are on DSM 6.2, the menu wording is slightly different (a dedicated CSR tab instead of Add), but the fields you fill in are the same. DSM 7 is the version Synology supports today, so the steps below describe that flow.
Before you start
For a publicly trusted certificate from a CA, the NAS needs a name that resolves on the public internet. Two common setups work:
- Your own domain: point a hostname (for example nas.example.com) to your public IP with an A record at your DNS provider, or to a Synology DDNS hostname with a CNAME.
- Synology DDNS: if you do not own a domain, register a free Synology DDNS name under Control Panel > External Access > DDNS (for example yourname.synology.me) and use that as the Common Name.
You also need administrator access to DSM. The CSR wizard is part of Control Panel, which only administrator accounts can open.
Generate the CSR in DSM 7
If you already generated your CSR off the NAS (for example with our CSR Generator or with OpenSSL), skip this section and continue with the Synology NAS installation steps once your certificate is issued.
Step 1: Open the Certificate panel
Sign in to DSM as an administrator and go to Control Panel > Security > Certificate. The screen lists any certificates already on the NAS (the default self-signed one and any you have imported or issued through Let’s Encrypt).
Step 2: Start a new certificate request
Click Add. In the dialog that opens, leave Add a new certificate selected and click Next.
On the next screen, select Create certificate signing request (CSR) and click Next. (The two other options, Get a certificate from Let’s Encrypt and Import certificate, are covered later in this guide.)
Step 3: Fill in the CSR fields
DSM shows a form with the Distinguished Name fields and the key length. Use only standard ASCII characters; non-Latin letters and accented characters break the request:
- Private Key Length: select 2048 from the drop-down. This is the current minimum every public CA accepts. Pick 3072 or 4096 only if your security policy requires a larger key (slightly slower TLS handshakes is the trade-off).
- Common Name: the fully qualified domain name (FQDN) clients will use to reach the NAS, for example nas.example.com. For a wildcard certificate, put an asterisk in front of the apex, for example *.example.com.
- Subject Alternative Name: add every additional hostname that should be covered, one per line. Repeat the Common Name on the first line, then add aliases (for example nas.example.com on line one, files.example.com and photos.example.com on the lines below). Modern browsers and clients validate only the SAN list (the Common Name has not been used for trust decisions since 2017), so every hostname that should work has to appear here.
- Email: a valid contact address. The CA may use it during validation.
- Department: a short label such as IT or Web. The Organizational Unit attribute is deprecated for public certificates (the CA/Browser Forum has phased it out), so keep it minimal or leave a placeholder. For Domain Validation orders, write NA.
- Organization: the full legal name of your company, exactly as registered. Required for Organization Validation (OV) and Extended Validation (EV) certificates. For Domain Validation (DV) orders this field is ignored, so write NA or your name.
- City: the city where your organization is registered, written in full (for example Orlando, not ORL).
- State/Province: the full state or province name (for example Florida, not FL).
- Country: select the two-letter ISO country code from the drop-down (for example US, GB, DE). For OV and EV orders, this is the country where your company is legally registered.
Double-check every field and click Next.
Step 4: Download the CSR and private key
DSM generates the request and the matching private key and downloads them to your computer as a single ZIP archive (usually named archive.zip). Inside the ZIP you will find two files:
- server.csr: the PKCS #10 certificate signing request. This is the text you paste into your order form.
- server.key: the matching RSA private key. Keep it on the same machine you will use to import the issued certificate. The CA never sees this file, and if you lose it you have to start over with a new CSR.
Extract the ZIP somewhere safe (a password-protected vault or an admin-only folder). Treat server.key like any other secret.
Step 5: Submit the CSR to your Certificate Authority
Open server.csr in a plain text editor. You will see a block like this:
-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExEDAO
... (many lines of base64) ...
-----END CERTIFICATE REQUEST-----
Select everything, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines, copy it, and paste it into the CSR field on your order form. After the CA validates the request and issues your certificate, follow our how to install an SSL certificate on Synology NAS guide to import the certificate, the CA bundle, and the matching server.key into DSM and assign the certificate to your services.
Check the CSR before you submit it (optional)
It is worth confirming the Common Name, the SAN list, and the key size before sending the request to the CA. Paste the contents of server.csr into our CSR Decoder to read the values back. The Common Name should match the hostname clients use, every required name should appear under Subject Alternative Name, and the key size should match what you chose in the wizard.
If you have OpenSSL on a workstation, this command prints the same details locally:
openssl req -noout -text -in server.csr
Free alternative: Let’s Encrypt inside DSM
DSM 7 can issue a free Let’s Encrypt certificate directly, with no CSR and no manual import. The wizard creates the key, the request, and the trust chain on the NAS itself, and DSM renews the certificate automatically before it expires (Let’s Encrypt certificates are valid for 90 days).
- Go to Control Panel > Security > Certificate, click Add, then Add a new certificate.
- Select Get a certificate from Let’s Encrypt and click Next.
- Enter your Domain name and a contact Email. Add any extra hostnames under Subject Alternative Name, then finish.
Let’s Encrypt validates the domain over inbound port 80, so your NAS and router must allow that port from the internet (DSM uses the HTTP-01 challenge by default). Choose Let’s Encrypt for free internal and DSM access. Choose a purchased certificate when you need Organization or Extended Validation, a wildcard across many subdomains, a longer validity term, or a warranty and vendor support.
Frequently Asked Questions
Open Control Panel > Security > Certificate, click Add, leave Add a new certificate selected, and on the next screen pick Create certificate signing request (CSR). DSM 6.2 used a dedicated CSR tab on the Certificate panel instead, but the form fields you fill in are the same.
DSM does not keep a copy on the NAS. The private key is downloaded inside archive.zip as server.key, together with server.csr, and exists only on the machine where you saved it. Store the ZIP somewhere safe before closing the browser tab. If you lose server.key, the certificate the CA issues for that CSR cannot be installed and you have to generate a new request.
Yes. The DSM 7 wizard has a Subject Alternative Name field that accepts one hostname per line. Put the primary FQDN there as well (matching the Common Name) so the SAN list is self-contained, then add every alias the NAS should answer to. You then need to order a multi-domain (SAN) certificate to cover the extra names; a single-name certificate only signs one hostname even if you list more in the CSR.
Yes. Our CSR Generator builds a request (with SAN) from a single form, and OpenSSL can do the same from the command line. Keep the private key it gives you, then import the issued certificate, the CA bundle, and that key together under Control Panel > Security > Certificate > Add > Import certificate. This is often easier when you want the same certificate on more than one device.
Let’s Encrypt is free, valid for 90 days, and DSM 7 renews it for you, so it suits home labs and internal DSM access where Domain Validation is enough. A purchased certificate makes sense when you need Organization or Extended Validation, a wildcard across many subdomains, a multi-year term, vendor support, or a warranty. The CSR flow in this guide is what you use for the purchased route.
The wizard triggers a single ZIP download as the last step. If your browser blocked it (some pop-up blockers stop file downloads from inline dialogs), check the browser’s download bar or the small block-icon next to the address bar and allow the download. If you have already clicked Done and the ZIP did not arrive, repeat the wizard: DSM does not keep a copy of the request on the NAS, so the ZIP is the only place the private key exists.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


