To use TSL on a local network with self-signed there are several options:
- Use ACME and a service like Let's Encrypte to automatically manage certificates. This required an internet connection between the server and the certificate provider.
- Create a self-signed certificate (e.g. with
openssl). This cert has be manually whitelisted for any clients accessing the server. - Slight improvement on 2., create a new certificate authority (CA) (basically just a key pair with some extra meta-data in the form of a
.crtcertificate file containing the public key and meta-data, and a.keyfile containing the private key). The new CA is used to sign a certificate for the server. The CA should be added as a trusted CA for clients of the server.
See and edit the parameters in the Makefile, and then make to produce:
- CA certificate
- CA private key
- server certificate
- server private key
Keep the CA private key safe because it enables new certs to be produced that are considered trusted for any devices on which the CA has been added as a trusted CA!
The steps in the Makefile were informed by this blog post.