Create Root Certificate Authority and self-signed certificate for your Home Assistant. Compatible with Chrome browser > version 58 and macOS 10.15 Catalina
Create Root Key
Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
openssl genrsa -des3 -out rootCA.key 4096
If you want a non password protected key just remove the
Create and self sign the Root Certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 825 -out rootCA.pem
Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
Create a certificate (Done for each HA instance)
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
Create rootCA.csr.cnf file
# rootCA.csr.cnf [req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [dn] C=my_2_letters_ISO_country ST=my_state L=my_town O=my_organization_name OU=my_departement_name emailAddress=my_emailaddress CN = my_local_ha_domain_name_check_your_local_dhcp_or_dns_server_eg_hassio.homelan
Create v3.ext file
# v3.ext authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage=serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = my_local_ha_domain_name_check_your_local_dhcp_or_dns_server_eg_hassio.homelan IP.1 = my_local_ha_ip_address_check_your_local_dhcp_or_dns_server_eg_192.168.1.22
Create the certificate key
openssl req -new -sha256 -nodes -out hassio.csr -newkey rsa:2048 -keyout hassio.key -config <( cat rootCA.csr.cnf )
Create the certificate itself
openssl x509 -req -in hassio.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out hassio.crt -days 825 -sha256 -extfile v3.ext
Rename hassio.crt and hassio.key
Copy both hassio.crt and hassio.key, through SSH add-on or Console, to your HA /ssl/ folder and rename both accordingly:
rename hassio.crt fullchain.pem rename hassio.key privkey.pem
Also, setup correctly both file permissions (only read and write by the file owner):
chmod 600 fullchain.pem privkey.pem
Setup your configuration.yaml file with the following:
http: base_url: https://YOUR_HA_IP_ADDRESS:8123 ssl_certificate: /ssl/fullchain.pem ssl_key: /ssl/privkey.pem
Setup all your HA add-ons with its SSL configuration and reboot afterwards the host of your HA instance.
Meanwhile, add the rootCA.pem file to your web browser or system wise Authority Certicates repository.