Create Root Certificate Authority and self-signed certificate for your Home Assistant. Compatible with Chrome browser > version 58 and macOS 10.15 Catalina
Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
openssl genrsa -des3 -out rootCA.key 4096
If you want a non password protected key just remove the -des3
option
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 825 -out rootCA.pem
Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
# rootCA.csr.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=my_2_letters_ISO_country
ST=my_state
L=my_town
O=my_organization_name
OU=my_departement_name
emailAddress=my_emailaddress
CN = my_local_ha_domain_name_check_your_local_dhcp_or_dns_server_eg_hassio.homelan
# v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage=serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = my_local_ha_domain_name_check_your_local_dhcp_or_dns_server_eg_hassio.homelan
IP.1 = my_local_ha_ip_address_check_your_local_dhcp_or_dns_server_eg_192.168.1.22
openssl req -new -sha256 -nodes -out hassio.csr -newkey rsa:2048 -keyout hassio.key -config <( cat rootCA.csr.cnf )
openssl x509 -req -in hassio.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out hassio.crt -days 825 -sha256 -extfile v3.ext
Copy both hassio.crt and hassio.key, through SSH add-on or Console, to your HA /ssl/ folder and rename both accordingly:
rename hassio.crt fullchain.pem
rename hassio.key privkey.pem
Also, setup correctly both file permissions (only read and write by the file owner):
chmod 600 fullchain.pem privkey.pem
Setup your configuration.yaml file with the following:
http:
base_url: https://YOUR_HA_IP_ADDRESS:8123
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
Setup all your HA add-ons with its SSL configuration and reboot afterwards the host of your HA instance.
Meanwhile, add the rootCA.pem file to your web browser or system wise Authority Certicates repository.
https://serverfault.com/a/867838
https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309