From August 19th 2020, SECTIGO issues SSL certificates with a maximum lifetime of 398 days (13 months) as specified by CA/Browser consortium. SSL certificates with a longer lifetime must be re-issued annually (free of charge). You'll receive reminders via e-mail. SSL certificates issued before August 19th 2020 remain valid until their planned expiry date. Code Signing & S/MIME certificates are not affected and remain valid until their planned expiry date.

Can i obtain a SSL certificate for a server with dynamic IP / DNS / DynDNS address? What about,, subdomains?

Yes, it is possible to obtain a SSL certificate for dynamic IP based servers. For mail authentication you need a proper "MX" DNS entry. Please choose "HTTP" type authentication during CSR placement for servers with <subdomain>, <subdomain> or <subdomain> domain, as authentication emails won't be processed by If you are running your synology disk station with your own domain, you can of course also use email validation.

Synology CAA DNS records are allowing us to issue PositiveSSL and RapidSSL certificates for the following domains:

You can NOT obtain SSL from us for the following domains:

Unfortunately, the CAs had recently been uncooperative on issuing SSL certificates for subdomains. We therefore cannot recommend customers to order a SSL for such domains. Other dynamic DNS providers have not been affected so far.

In general:

Dynamic DNS with your own domain => Email validation:
For validating your SSL certificate via Email you need a valid MX entry for your domain or at least a valid email forwarder with your domain registrar. Allowed Emails are admin@, administrator@webmaster@root@, postmaster@. For validating .com/.net/.org you can also choose the email address from the WHOIS entry of your domain. Please be aware that this option is not available for some domain suffixes (e.g. .de, .at). The certificate authority will send an email with validation link that you will have to approve. Without approval the SSL cannot be issued!

Dynamic DNS subdomain (, => HTTP validation:
For servers on <subdomain>, <subdomain> or <subdomain> etc. please choose "HTTP" validation while placing your CSR. In this case the email validation won't be possible because emails sent to qnap, synology etc. won't ever be forwarded to you. - Of course you can use email validation if your synology diskstation is running on your own domain and can receive validation emails on root@, administrator@, ... 

Please find further details regarding SSL installation in the Synology knowledgebase

Was this answer helpful?

 Print this Article

Also Read

ASN1 bad tag value met. 0x8009310b

Question: I get CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met....

Microsoft IIS: multi-domain SSL on a single IP. Setting up host headers for IIS with SAN

How to configure SSL host headers in Microsoft IIS...

What does " Vendor Status: Failed Security Review - Please contact your SSL provider" mean?

This is equivalent to "Pending Manual Review by CA". It means your SSL certificate has been...

Converting .CRT (X.509) to .P7B (PKCS#7) file format

Windows:    Instrunctions for Microsoft Windows (Symantec Knowlegde Base) Linux: openssl...

'Broken Certificate Chain' error message

The SSL certificate chain typically consists of:ROOT Certificate INTERMEDIATE Certificate...