loader image

[Guide] Local HTTPS for Plex on Synology (No External Access)

What makes us different from other similar websites? Forums Tech [Guide] Local HTTPS for Plex on Synology (No External Access)

Tagged: , , , , , , ,

Viewing 1 post (of 1 total)
  • Author
    Posts
  • April 3, 2026 at 11:27 pm #8459
    thumbtak
    Moderator

    Goal: Achieve a “Green Lock” (or at least encrypted HTTPS) for local Plex traffic without using Plex Remote Access or opening router ports.

    Prerequisites

    • A Synology NAS running DSM 7.x.
    • A Linux desktop (or any machine with openssl installed).
    • Plex Media Server installed on the NAS.

    Step 1: Export the Synology Certificate
    Synology handles its own HTTPS, but Plex needs a specific file format to use those same credentials.

    • In DSM, go to Control Panel > Security > Certificate.
    • Select your default certificate (Self-Signed or Let’s Encrypt).
    • Click the dropdown next to Add and select Export certificate.
    • Unzip the downloaded folder. You should see cert.pem and privkey.pem.

    Step 2: Convert PEM to PKCS #12 (.p12)
    Plex cannot read .pem files directly. You must bundle them into a password-protected .p12 file.

    1. Open your terminal in the folder containing the exported files.
    2. Run the following command: $ openssl pkcs12 -export -out plex.p12 -inkey privkey.pem -in cert.pem
    3. Important: You will be prompted for an “Export Password.” You must set one; Plex requires a password to initialize the certificate.

    Step 3: Set File Permissions on Synology

    1. Upload plex.p12 to a folder on your NAS (e.g., /volume1/PlexMediaServer/).
    2. Right-click the file in File Station > Properties > Permission.
    3. Ensure the user PlexMediaServer has Read permissions.

    Step 4: Configure Plex Server Settings

    1. Open the Plex Web UI via your local IP: http://[NAS-IP]:32400/web.
    2. Go to Settings > Server > Network.
    3. Click Show Advanced (Top Right).
    4. Fill in the following:
      Custom certificate location: /volume1/PlexMediaServer/plex.p12 (Adjust volume number as needed).
      • Custom certificate encryption key: The password you created in Step 2.
      Custom certificate domain: Your NAS IP or local hostname.
      Secure connections: Set to Required.
    5. Save Changes and Restart the Plex Package in Synology Package Center.

    Step 5: Trust the Certificate (The “Green Lock” Fix)
    Because this is a local/self-signed cert, your browser will show a “Not Secure” warning even though the traffic is encrypted.

    1. Import the original cert.pem into your browser’s Certificate Manager under the Authorities tab.
    2. Check the box to “Trust this certificate for identifying websites.”

    Why do this? Many casting protocols (Chromecast, certain Smart TVs) and browser features require a secure origin (HTTPS) to function correctly. This setup ensures your metadata and streams remain private on your local wire without needing a hole in your firewall.

    • This topic was modified 1 week, 4 days ago by thumbtak. Reason: Updated terminal command
  • Author
    Posts
Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.
TAKs Shack