TLS certificates need to be renewed regularly, and the tooling that handles renewal typically runs on a dedicated host — not on the router itself. In this setup, the certificate is issued and renewed on a Home Assistant instance using the Let’s Encrypt add-on with DNS-01 validation (more on that automation in a future post); the router just needs to receive the updated files.
SRM reads its TLS certificate from two fixed paths. Copy the files there, restart the right service, done.
The certificate paths
SRM expects the certificate chain and private key at these exact locations on the router:
/usr/syno/etc/ssl/ssl.crt/server.crt ← certificate chain (fullchain.pem)
/usr/syno/etc/ssl/ssl.key/server.key ← private key (privkey.pem)
Restart the service
Then restart the SRM HTTP service, to use the updated TLS certificates.