Self Signed Certificate with Custom Root CA for Home Assistant

self-signed-certificate-with-custom-ca-for-home-assistant.md

Create Root Certificate Authority and self-signed certificate for your Home Assistant. Compatible with Chrome browser > version 58 and macOS 10.15 Catalina

Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

openssl genrsa -des3 -out rootCA.key 4096

If you want a non password protected key just remove the -des3 option

Create and self sign the Root Certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 8250 -out rootCA.pem -subj "/CN=Svens Root CA/C=DE/O=Personal Sven"

Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.

Create a certificate (Done for each HA instance)

This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA

Create service.csr.cnf file

# service.csr.cnf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
# req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = DE
# ST = my_state
# L = my_town
O = Home Assistant
# OU = my_departement_name
# emailAddress = my_emailaddress
CN = homeassistant.local

Create v3.ext file

# v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
extendedKeyUsage=serverAuth

[alt_names]
DNS.1 = homeassistant.local
IP.1 = 10.1.0.0

Create the certificate key

openssl req -new -sha256 -nodes -out hassio.csr -newkey rsa:2048 -keyout hassio.key -config <( cat service.csr.cnf )

Create the certificate itself

openssl x509 -req -in hassio.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out hassio.crt -days 398 -sha256 -extfile v3.ext

Rename hassio.crt and hassio.key

Copy both hassio.crt and hassio.key, through SSH add-on or Console, to your HA /ssl/ folder and rename both accordingly:

cp hassio.crt ../fullchain.pem
cp hassio.key ../privkey.pem

Also, setup correctly both file permissions (only read and write by the file owner):

chmod 600 fullchain.pem privkey.pem

Setup your configuration.yaml file with the following:

http:
  base_url: https://10.1.0.0:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Setup all your HA add-ons with its SSL configuration and reboot afterwards the host of your HA instance.

Meanwhile, add the rootCA.pem file to your web browser or system wise Authority Certicates repository.

Install .pem Certificate on Windows using Command Line

certutil –addstore -enterprise –f "Root" rootCA.pem

References:

https://serverfault.com/a/867838

https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309

https://superuser.com/questions/1492207/neterr-cert-revoked-in-chrome-chromium-introduced-with-macos-catalina

https://superuser.com/questions/1031444/importing-pem-certificates-on-windows-7-on-the-command-line#1032179

Remark on using Sonos Devices:

If you're planning on using Sonos devices on your network self signed certificates from your own CA will not work for you. When you try to play local media or TTS via home assistant on you Sonos speakers you will get the error "Unable to play xxx.mp3 the connection to homeassistant.local:8123 was lost.". This is because Sonos doesn't trust your CA and there is now way to add your own CA to Sonos.

From what I can tell so far your only way of fixing this is to either drop SSL and use http instead in your local network or have a valid SSL certificate from a real CA and use this one instead. I guess one has to add a dns redirect from the domain registered in the cert to your local HA instance so that the cert will work, as it doesn't have your local URL in it.