Skip to main content

Explainer of how this stuff works

You know how there are services like Let's Encrypt offering SSL Certificates that work on the WAN and the World Wide Web? Well we are going become our own Certificate Authority like let's encrypt, and we will sign our own ssl certificates with our custom CA (Certificate Authority) certificate.

This is how the system works:

On almost every device, certificates of "trusted Root Certificate Authorities" are stored, so that when you visit a HTTPS website, and the SSL it presents is signed by one of these "Trusted Root Certificate Authorities", the device/ browser will automatically trust it and display the lock symbol.

If you want to see these "Trusted Root Certificate Authorities" for yourself, follow the steps below:

On windows:

Press on the start button, and search certificates and you should see an app called "Manage Computer Certificates"

Click on that, and on the left menu, you should see "Trusted Root Certificate Authorities".

Click on that and you should see a massive dropdown with names of many different companies and familiar ones such as Microsoft, Amazon, Google etc., This means that any website that presents SSLs, signed by any of these Root CAs, will be instantly trusted.

To create our own SSL certs for local domains, we need to first create a Certificate Authority file, which will then sign our generated SSLs, I will explain the process as we go ahead.

  • You need to know how to setup your own local, recursive DNS server and create local DNS records that point to certain IP addresses (Something like Pi-hole is perfect for this)
  • You need to have a linux machine
How we will implement this on our local LAN:
  • Using our local DNS resolver like Pi-Hole, we will create custom domains (something like to point to an IP address running a particular services
  • We will create a Certificate Authority File and add it to the "Trusted Root Certificate Authority" store of the devices you will be using to visit these custom domains**
  • We will generate SSL certs that are signed by our CA file
  • You can either upload this SSL directly into service like Proxmox's Web UI, or you can use a reverse proxy like NGINX Proxy Manager to configure SSLs, just like you would for the WAN.

Proceed to next page, to see steps on how to create SSLs