Synology Photos - Trusted Certificate

Hello all,

I am trying to setup my Synology NAS with a Cloudflare Origin Certificate. When I am generating the key and cert within Cloudflare I am provided with 2 files. In the Synology dialog to add the certificate it seems to want 3 files.

I would assume the key and certificate in the dialog are the two files I generated, but why is the dialog asking for an intermediate certificate and where does this come from? Is this the origin CA root certificate that I can also download from Cloudflare: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca#h_0eadeb1e-93cd-4698-937d-fb5165d40b54

Thanks,
Steve

I would try without an intermediate certificate and if that does not work then try the root CA cert there.

Ok that seemed to work but new question…

I would assume I would see Issued by: filled in with Cloudflare info. I do not. Is this ok?

Origin certs are only good for connections between the origin and Cloudflare. If you want a full SSL certificate then you should look at Edge Certificates

I have the universal certificate setup, but I thought that is for the client side of this equation? Should I also deploy the edge certificate to my Synology?

You can get an edge certificate for specific hostnames, as you can’t download the cert and key for universal SSL. An origin certificate will not show any errors as long as you only access your Synology via Cloudflare. If you try to access it any other way, it will say an invalid certificate

Ok so I decided to get an edge cert for two specific hostnames. Since this is now activated at the CF edge how can I determine if they are being used? For example I have the hostname of photos, so I can access my photos via the Synology Photos app. Should I now see a trusted connection show up in my Photos app that talks to CF?

Wow sorry, I meant Client Certificates then you download these and put them on your NAS

So in addition to the origin certificate that has been implemented on my NAS I would then implement these?

You would replace the origin certificate with the edge certificate.

You mean the client certificate, not the edge correct?

Yes, sorry. I get them confused a lot

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.