Creating a custom certificate
The following description is augmented with example calls using OpenSSL in a linux terminal.
- Create a private key for your certificate:
openssl genrsa -out certificate-key.pem 4096 - For the certificate signing request (CSR), create a configuration file req.conf in the same folder where you execute the OpenSSL commands.
- Paste the following configuration into req.conf:
[req]distinguished_name = req_distinguished_namereq_extensions = v3_reqprompt = no[req_distinguished_name]C = <COUNTRY_CODE>ST = <STATE>L = <LOCATION>O = <YOUR_ORGANISATION>CN = <IP-ADDRESS>[v3_req]keyUsage = keyEncipherment, dataEncipherment, digitalSignatureextendedKeyUsage = serverAuthsubjectAltName = @alt_names[alt_names]IP.1 = <IP-ADDRESS>IP.2 = 192.168.10.202- Replace <COUNTRY_CODE>, <STATE>, <LOCATION> and <YOUR_ORGANISATION> with the desired values.
- Replace both properties <IP-ADDRESS> with the IP address of your device.
- Create the CSR:
openssl req -new -key certificate-key.pem -out certificate.csr -sha512 -config req.conf 
The CSR must be signed by a certificate authority (CA) that your browser trusts. You can either give the CSR to a well-known CA your browser trusts by default or use a custom CA to sign your CSR.
- If you give the CSR to a well-known CA, you will get back a signed certificate. You can upload the certificate.
- If you want to sign the CSR with a custom or enterprise CA, proceed as follows.
- Sign the CSR with a private key of a custom CA:
openssl x509 -req -in certificate.csr -CA <CA_ROOT.PEM> -CAkey <CA_KEY.PEM> -CAcreateserial -out certificate-pub.pem -days 365 -sha512 -extfile req.conf -extensions v3_req - Replace <CA_ROOT.PEM> and <CA_KEY.PEM> with the certificate and private key of the trusted CA.
If the CA is not included in the list of trusted CAs in your browser, you have to add the CA to the browser's trusted CA list.