The following guide creates a Self-Signed SSL Certificate for internal use with a validity of 1 year.
Sources used to create this guide:
Mozilla Wiki – SecurityEngineering/x509Certs
Medium – Create your own Certificate Authority
I used Raspberry Pi OS (bullseye) to create the SSL certificates.
Step 1 : Create the CA Private Key
openssl genrsa -des3 -out CAPrivate.key 2048
Step 2: Generate the CA Root certificate
openssl req -x509 -new -nodes -key CAPrivate.key -sha256 -days 365 -out CAPrivate.pem
Step 3 : Create a Private Key
openssl genrsa -out MyPrivate.key 2048
Step 4 : Generate the CSR
openssl req -new -key MyPrivate.key -extensions v3_ca -out MyRequest.csr
Step 5: Create extensions file to specify subjectAltName
Create an extensions file named:
File Contents of
openssl.ss.cnf (replace *.mydomain.tld with your domain):
basicConstraints=CA:FALSE subjectAltName=DNS:*.mydomain.tld extendedKeyUsage=serverAuth
Step 6: Generate the Certificate using the CSR
openssl x509 -req -in MyRequest.csr -CA CAPrivate.pem -CAkey CAPrivate.key -CAcreateserial -extfile openssl.ss.cnf -out MyCert.crt -days 365 -sha256
Step 7: Install the Certificate / Private Key on your Web Server / Application
Read the manual of the Web Server / Application to install SSL certificates.
Step 8: Copy the CA Root certificate and import it in the proper Certificate Store of the OS/Application
[Windows] Copy CAPrivate.pem to computer, rename to CAPrivate.crt and import to Trusted Root Authorities Store.
Please read the following disclaimer before making changes to your device / software:
Disclaimer * I'm not responsible for bricked devices, dead SD cards, thermonuclear war, or you getting fired because the alarm app failed. * YOU are choosing to make these modifications, and if you point the finger at me for messing up your device, I will laugh at you. * Your warranty will be void if you tamper with any part of your device / software.
Leave a Reply