Our great sponsors
-
mkcert
A simple zero-config tool to make locally trusted development certificates with any names you'd like.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Once youve got that, you'll want to setup acme.sh to acquire an ssl certificate from lets encrypt using DNS-01 verification. You can skip this program and do the process manually, but it has to be re-done every 3months (that's how long lets encrypt certs are valid for).
Both approaches - self-signed CA as well as Let‘s Encrypt - have pros&cons and their own challenges / limitations. For very first tests and only a small number of SSL-clients I would start with https://github.com/FiloSottile/mkcert. This allows first results without any other external dependencies. mkcert helps as well to add the self-signed CA cert to standard ca-trust on your other local devices. ( last topic in its readme). The advantage is, this ca-trust setup is a one time task only for each new device - per lifetime of CA.
When external dependency / privacy IS is problem, the local CA approach can of course be done by more complete CA solutions as with the simple mkcert. Ranging from openssl based approaches based on https://pki-tutorial.readthedocs.io/ over e.g. a pki service embedded in a local HashiCorp Vault to even more complete local CA applications. And all those local CA approaches then have the additional advantage, that the self-signed CA can be used for additional use cases, e.g. issuing SSL client certificates for mutual authenticated SSL tunnels. But of course this is in most cases beyond the needs of e.g. a local home lab.