Create Root Certificate Authority and self-signed certificate for your Home Assistant. Compatible with Chrome browser > version 58, including the macOS Catalina 10.15 / iOS 13 (and above) new requirements.
Create Root Key
Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
openssl genrsa -des3 -out rootCA.key 4096
If you want a non password protected key just remove the -des3
option
Create and self sign the Root Certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem
Use this one instead, only if you are planning to use/allow Apple devices with macOS vs 10.15 / iOS 13 (or above):
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 825 -out rootCA.pem
Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
Create a certificate (Done for each HA instance)
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
Create rootCA.csr.cnf file
# rootCA.csr.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=my_2_letters_ISO_country
ST=my_state
L=my_town
O=my_organization_name
OU=my_departement_name
emailAddress=my_emailaddress
CN = my_local_ha_domain_name_check_your_local_dhcp_or_dns_server_eg_hassio.homelan
Create v3.ext file
# v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
extendedKeyUsage=serverAuth
[alt_names]
DNS.1 = my_local_ha_domain_name_check_your_local_dhcp_or_dns_server_eg_hassio.homelan
IP.1 = my_local_ha_ip_address_check_your_local_dhcp_or_dns_server_eg_192.168.1.22
Create the certificate key
openssl req -new -sha256 -nodes -out hassio.csr -newkey rsa:2048 -keyout hassio.key -config <( cat rootCA.csr.cnf )
Exclusively on Windows OS: Pay attention to the rootCA.csr.cnf
file path after the -config
. Follow this example, changing it accordingly:
openssl req -new -sha256 -nodes -out hassio.csr -newkey rsa:2048 -keyout hassio.key -config "C:\Program Files\Git\usr\bin\rootCA.csr.cnf"
Create the certificate itself
openssl x509 -req -in hassio.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out hassio.crt -days 3650 -sha256 -extfile v3.ext
Use this one instead, only if you are planning to use/allow Apple devices with macOS vs 10.15 / iOS 13 (or above):
openssl x509 -req -in hassio.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out hassio.crt -days 825 -sha256 -extfile v3.ext
Rename hassio.crt and hassio.key
Copy both hassio.crt and hassio.key, through SSH add-on or Console, to your HA /ssl/ folder and rename both accordingly:
rename hassio.crt fullchain.pem
rename hassio.key privkey.pem
Also, setup correctly both file permissions (only read and write by the file owner):
chmod 600 fullchain.pem privkey.pem
Setup your configuration.yaml file with the following:
http:
base_url: https://YOUR_HA_IP_ADDRESS:8123
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
Setup all your HA add-ons with its SSL configuration and reboot afterwards the host of your HA instance.
Meanwhile, add the rootCA.pem file to your web browser or system wide Authority Certicates repository.
References:
https://serverfault.com/a/867838
https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
Trying my luck again by bumping this question(^^).
I'm sure there must be someone using Google Home and having a custom root CA in his home. :-)