How to upload and renew certificates on both Synology DSM and Proxmox VE

In the last article, I wrote how to create your own Certificate Authority to provide certs for your self-hosted services, which is very useful when you have tons of servers, VMs and services deployed in your homelab, as I do. The backbone of my homelab is a Synology NAS server and a Proxmox cluster, along with some docker services here and there. I'm using reverse proxies to access my docker containers with HTTPS: caddy for the ones hosted on Proxmox, and the built-in reverse-proxy from DSM for those hosted on the Synology.

Today, I'll show you particularities of each platform, and how to upload and renew existing certificates in Synology DSM, Proxmox Ve and Caddy; while maintaining the trust in the new certs thanks to the CA we created in the previous article. Let's go!

Renewing and updating certs in Synology DSM

As everything with Synology, we can renew the certificate directly from DSM. Following are the instructions for DSM 7.2, and the official instructions from Synology Knowledge Center can be found here.

1. Go to Control Panel > Security > Certificate.
2. Select the desired certificate.
3. Select Renew certificate from the Action drop-down menu, and click Next. A new private key and certificate signing request will be created.
4. Click Renew certificate to retrieve your new private key and certificate signing request (CSR). You can use the new signing request to reapply for another certificate authority signed certificate.

Then, you can use that CSR to renew your certificate using your own CA.

Renewing and updating certs in Proxmox VE

In contrast with Synology, Proxmox VE doesn't have a built in mechanism to generate a CSR for certificate renewal, and we must do it manually:

1. On a terminal, generate a new private key and a CSR.
2. Then, use that CSR to issue a new certificate.
3. Finally, import the new generated certificate and the private key to Proxmox VE by going in the webgui to Node name > Certificates > Upload Custom Certificate.
4. The previous old certificate should be overwritten. If not, you can manually delete it by selecting it and the clicking on Delete Custom Certificate.

Now, just reload the Proxmox VE webgui and the new cert will be in use.

Renewing and updating certs in a web server like Caddy (and Nginx or Apache)

Caddy requires to be configured manually, usually via an SSH session, but the steps are very similar to what we already know:

1. As with Proxmox VE, on a terminal, generate a new private key and a CSR.
2. Then, use that CSR to issue a new certificate.
3. Now, SSH into your caddy server, and check the configuration at /etc/caddy/Caddyfile to check from where is the server is reading the certs from. You will do the same for Apache or Nginx by looking to their respective configuration files.
4. In my case, in caddy, they are being read from /etc/caddy/certs/ as I can read in the configuration:

tls /etc/caddy/certs/server.crt /etc/caddy/certs/server.key

5. So just replace those files with the key and cert newly generated from the CA.
6. Don't forget to assign the correct permissions to both files:

chmod 644 /etc/caddy/certs/server.crt
chmod 600 /etc/caddy/certs/server.key
chown -R caddy:caddy /etc/caddy/certs/*

7. Finally, restart or reload your webserver to take the new certificates with systemctl reload caddy or caddy reload depending on how you installed it.