Skip to content

Instantly share code, notes, and snippets.

@kumekay

kumekay/self-signed-certificate-with-custom-ca-for-home-assistant.md

Forked from tiagofreire-pt/self-signed-certificate-with-custom-ca-for-home-assistant.md
Last active March 26, 2023 10:10
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save kumekay/660b190bb7aed6a67ae11698de78279c to your computer and use it in GitHub Desktop.
Save kumekay/660b190bb7aed6a67ae11698de78279c to your computer and use it in GitHub Desktop.
Download ZIP
Self Signed Certificate with Custom Root CA for Home Assistant
Raw
self-signed-certificate-with-custom-ca-for-home-assistant.md

Create Root Certificate Authority and self-signed certificate for your Home Assistant. Compatible with Chrome browser > version 58 and macOS 10.15 Catalina

Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

openssl genrsa -des3 -out rootCA.key 4096

If you want a non password protected key just remove the -des3 option

Create and self sign the Root Certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 825 -out rootCA.pem

Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.

Create a certificate (Done for each HA instance)

This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA

Create rootCA.csr.cnf file

# rootCA.csr.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=my_2_letters_ISO_country
ST=my_state
L=my_town
O=my_organization_name
OU=my_departement_name
emailAddress=my_emailaddress
CN = my_local_ha_domain_name_check_your_local_dhcp_or_dns_server_eg_hassio.homelan

Create v3.ext file

# v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage=serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = my_local_ha_domain_name_check_your_local_dhcp_or_dns_server_eg_hassio.homelan
IP.1 = my_local_ha_ip_address_check_your_local_dhcp_or_dns_server_eg_192.168.1.22

Create the certificate key

openssl req -new -sha256 -nodes -out hassio.csr -newkey rsa:2048 -keyout hassio.key -config <( cat rootCA.csr.cnf )

Create the certificate itself

openssl x509 -req -in hassio.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out hassio.crt -days 825 -sha256 -extfile v3.ext

Rename hassio.crt and hassio.key

Copy both hassio.crt and hassio.key, through SSH add-on or Console, to your HA /ssl/ folder and rename both accordingly:

rename hassio.crt fullchain.pem
rename hassio.key privkey.pem

Also, setup correctly both file permissions (only read and write by the file owner):

chmod 600 fullchain.pem privkey.pem

Setup your configuration.yaml file with the following:

http:
  base_url: https://YOUR_HA_IP_ADDRESS:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Setup all your HA add-ons with its SSL configuration and reboot afterwards the host of your HA instance.

Meanwhile, add the rootCA.pem file to your web browser or system wise Authority Certicates repository.

References:

https://serverfault.com/a/867838

https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309

https://superuser.com/questions/1492207/neterr-cert-revoked-in-chrome-chromium-introduced-with-macos-catalina

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment