End to End Encryption Question

Hello all,

I am getting confused about what certificates I need to deploy to achieve end to end encryption from my Android app to the back end server.

The Android application is the Synology Photos app. It needs to be able to access my Synology NAS on the back end, to backup photos that I take on my Android phone. I have tried deploying an origin certificate on the NAS side and this seems to work. What I do not see is a trusted certificate in the Photos app, on my phone, as evidenced by the screenshot attached. Should I see the cert here, and if I am not seeing what am I not doing?

Should I be using an origin certificate or a client certificate? I think that is what has got me all confused. It sounds like the client certificate should be on the client side??

Thanks,
Steve

Definitely no client certificate and most likely no Origin certificate either. You’ll probably want a regular publicly trusted certificate, such as Let’s Encrypt. Origin certificates only work in the context of proxied connections, which is probably not the case here. Should that application actually connect via Cloudflare, then you could use an Origin certificate, however you’d be also in violation of 2.8 of the terms of service.

In short, get a regular certificate and make sure any hostname configured on Cloudflare is :grey:.

It actually could be a proxy situation. Let me give you more context.

My NAS is behind my home Internet connection, which is not a static IP. I have setup a DDNS service from my firewall, so that if the IP changes it will update the A record in my Cloudflare DNS settings for the associated hostname I use in the app. I have also turned on proxy in the DNS settings for this A record.

Does Cloudflare not provide a certificate like Let’s Encrypt? I would prefer to consolidate my security services with one provider. This is why I am confused about all the different types of certificates that Cloudflare provides.

No, Cloudflare’s certificates only work in a proxied context and are not publicly trusted like Let’s Encrypt.

Also, refer to my earlier statement, as you may get your account suspended in that case.

Aha…now this is beginning to make sense.

So if I went with a Let’s Encrypt certificate I would install it on the NAS, I would still leave the A record in Cloudflare DNS but turn off the proxy, and keep Full-Strict in place correct?

Absolutely right.

Ok one final question on this…

I have a firewall that protects everything. Is there any reason to install the Let’s Encrypt certificate there and not on the NAS?

It depends what kind of firewall it is, but you essentially need the certificate on the web server that is publicly accessible. If that is the NAS, you need the certificate on the NAS. If it is the firewall, you need it on the firewall.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.