Good thinking! I'm glad it worked for you.
No, port 80 is only needed when performing the validation for certificate issuance. Unless you choose to use OCSP stapling, you wouldn't need to communicate with the CA at all during the lifetime of the certificate.
By the way, port 80 isn't the only option for validation (there are also methods that use port 443 or DNS records), but perhaps it's the only option directly supported by your NAS.
Thanks for sharing the idea; it's a nice one.
Having a certificate doesn't cause traffic to become encrypted. You need to use encrypted protocols for that. For some of those protocols, like HTTPS, the certificate should be presented in the course of the protocol to authenticate the fact that you have a direct encrypted connection to the server.
You should check which protocols the NAS is using when talking to the client. For example, if the client is a web browser, and you're using HTTPS, that should be fine; on the other hand, if you're using SMB, NFS, or FTP, probably not fine.