HOWTO: Custom/signed SSL certificates in P5 version 6
Posted by Andre Kuehnemund, Last modified by Andre Kuehnemund on 30 January 2020 17:48
Starting with V6 P5 supports SSL for P5 Web GUI connections only. We do NOT (yet) support SSL for client/b2go connections.
We provide our own self-signed certificate in order to enable SSL connections, but in many cases this may be unacceptable.

The self-signed certificate is located here: 'servers/lexxsrv/modules/nsssl/server.pem'.

There is a way to override the self-signed certificate. It is very simple: one needs to supply a PEM file (see containing BOTH the certificate and the private key, That file must be created and saved in 'config/lexxsrv.pem'. The file itself is a plain text file containing two sections:

(encoded certificate)
(encoded private key)

If the content of the 'config/lexxsrv.pem' file is invalid, the server WILL NOT START. In this case please consult 'log/lexxsrv.log' file for more details. In most cases there will be some invalid character or invalid format in the file.


Both Synology and QNAP (and possibly others) include the ability to obtain free, officially signed SSL certificates from Let's Encrypt ( When you obtain such a certificate, you'll find that it comes with 4 files: cert.pem, chain.pem, fullchain.pem & privkey.pem.

Any one of the first three certificate files can be used. You're also going to need the private key file (privkey.pem).

Step one would be to copy the certificate file to be used and the private key file into the P5 subfolder 'config'.
Next, you would need to concatenate the above two files into a single new file - with the certificate file coming first, then a line feed, then the private key file - like so:

cat cert.pem > config/lexxsrv.pem
echo \n >> config/lexxsrv.pem
cat privkey.pem >> config/lexxsrv.pem

SSL should now be working in P5.

Now, one potential issue with the current process is that those Let's Encrypt certificates need to be auto-renewed every 90 days - meaning you would have to go through the above steps every 90 days. For a future release of P5, we'll be looking into possibly linking to the original Let's Encrypt certificates at '/usr/syno/etc/certificate/system/default/'.

Other official signed SSL certificates are typically good for two years. Therefore, the manual steps outlined above shouldn't be as big of an issue with those.

(0 vote(s))
Not helpful

Comments (0)
Post a new comment
Full Name:
CAPTCHA Verification 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).