Create Your Own Certificate Authority (CA) for Homelab Environment
Setting up a custom Certificate Authority (CA) for your homelab environment allows you to issue TLS certificates for internal systems, providing encrypted connections and authentication without relying on external CAs. In this post, we’ll walk through the steps to create your own CA, generate certificates, and install them for use in your homelab.
Why Create Your Own Certificate Authority?
In a homelab environment, using self-signed certificates can lead to trust issues with browsers and services that require secure communication. By creating your own CA, you can manage trust within your internal network and issue certificates for your services (e.g., web servers, APIs) that are trusted across your systems.
Creating a CA also helps you practice certificate management, a valuable skill in real-world production environments.
Step 1: Install OpenSSL
OpenSSL is a popular tool for working with certificates and cryptographic materials. If OpenSSL is not already installed, you can install it using the following command on most Linux distributions:
sudo apt-get update
sudo apt-get install openssl
For RedHat-based systems:
sudo yum install openssl
Step 2: Create the Root Certificate Authority
The first step in setting up your CA is to create the root certificate that will be used to sign all other certificates.
1. Create a Private Key for the CA
openssl genrsa -des3 -out ca.key 4096
This generates a 4096-bit RSA private key for the CA, secured with a password.
2. Create a Self-Signed Root Certificate
Use the CA private key to generate a self-signed root certificate:
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
You’ll be prompted to fill in information such as the country, organization, and common name. For the common name, use a name that clearly identifies this as your root CA, such as Homelab Root CA
.
The -days 3650
flag sets the validity of the certificate to 10 years. Adjust the number of days as needed.
Step 3: Create Certificates for Internal Services
Once the root CA is created, you can use it to sign certificates for your internal services.
1. Create a Private Key for the Service
Generate a private key for the service (e.g., a web server):
openssl genrsa -out server.key 2048
2. Generate a Certificate Signing Request (CSR)
Create a CSR that will be signed by the root CA:
openssl req -new -key server.key -out server.csr
When prompted, ensure that the common name (CN) matches the fully qualified domain name (FQDN) of the service (e.g., myapp.homelab.local
).
3. Sign the CSR with the Root CA
Sign the CSR using your root CA to generate the service certificate:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
This generates a certificate (server.crt
) that is valid for 1 year and signed by your root CA. The CAcreateserial
flag generates a new serial number for the certificate.
Step 4: Install the Root CA on Trusted Devices
To avoid browser and system warnings about untrusted certificates, you’ll need to install the root CA certificate (ca.crt
) on all trusted devices.
For Linux
Copy the root certificate to the appropriate directory and update the CA certificates:
sudo cp ca.crt /usr/local/share/ca-certificates/homelab-ca.crt
sudo update-ca-certificates
For Windows
- Open mmc.exe and add the Certificates snap-in.
- Select Trusted Root Certification Authorities > Certificates.
- Right-click and choose Import, then follow the prompts to import
ca.crt
.
For macOS
- Open Keychain Access.
- Drag and drop the
ca.crt
file into the System keychain. - Set the certificate to Always Trust.
Step 5: Configure Services to Use the Signed Certificate
For any internal service (e.g., NGINX, Apache), configure it to use the signed certificate (server.crt
) and private key (server.key
).
Example for NGINX
server {
listen 443 ssl;
server_name myapp.homelab.local;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
location / {
# Your app configuration
}
}
After updating the configuration, restart the service:
sudo systemctl restart nginx
Step 6: Verify the Certificate
Once the service is configured with the signed certificate, you can test it by accessing the service from a browser. If everything is configured correctly and the root CA is trusted, the browser should establish a secure connection without warnings.
You can also use openssl
to verify the certificate chain:
openssl verify -CAfile ca.crt server.crt
This command should return server.crt: OK
if the certificate chain is valid.
Final Thoughts
Creating your own Certificate Authority for a homelab environment is a great way to practice certificate management and secure internal communications. With your CA in place, you can issue trusted certificates for all your internal services, ensuring encrypted connections and eliminating browser warnings.