I wanted HTTPS on my Home Assistant UI, even on my local network. Not because I love extra work, but because browsers, apps, and integrations increasingly assume TLS is the default. A self-signed certificate is a quick way to enable HTTPS without needing a domain name or a public certificate.
This guide sets up Home Assistant to serve HTTPS using a self-signed certificate.
If you want the “no warnings” experience, use a proper local CA (like mkcert) or Let’s Encrypt via a domain + reverse proxy. But for “I just want HTTPS now”, self-signed is fine.
Step 1: Create a self-signed certificate
Generate the certificates directly in Home Assistant Terminal (if you have it).
If you have the Terminal & SSH add-on and can access a shell, you can run the following commands there. Just make sure you place the files in /ssl.
On your Home Assistant Terminal first make sure you have installed openssl. Then run:
openssl req -new -x509 -days 3650 -nodes -keyout ssl/homeassistant.key -out ssl/homeassistant.crtWhen asked for “Common Name”, use the hostname you browse to, for example:
homeassistant.localassistant.home- or the IP address (less ideal, but works for many local setups)
You will end up with:
homeassistant.keyhomeassistant.crt
Step 2: Configure Home Assistant to use SSL
Edit your configuration.yaml and add (or update) the http: block:
http:
ssl_certificate: /ssl/homeassistant.crt
ssl_key: /ssl/homeassistant.key
Save the file.
Now restart Home Assistant (Settings -> System -> Restart).
Step 3: Test HTTPS
After the restart, open:
https://<your-home-assistant-hostname>:8123
Example:
https://assistant.home:8123
You will almost certainly get a browser warning like “Your connection is not private”. That is expected with self-signed certificates.
Proceed anyway (usually Advanced -> Continue).
Step 4: Make the warning less annoying (optional)
Trust the certificate on your own devices. The goal is to trust your local Certificate Authority (CA) that signed the Home Assistant certificate, not the Home Assistant certificate itself.
Download the CA certificate (often offered via the browser warning screen). If you downloaded a .pem file, you can rename it to .crt.
If you import the .crt file into your OS trust store, most browsers will stop complaining.
Linux (Ubuntu)
Copy the CA certificate to the local CA store and update the trust database:
sudo cp my-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
Note: Firefox can still complain even when the OS trusts the certificate. In that case, import your CA certificate in Firefox:
- Settings -> Privacy & Security -> Certificates -> View Certificates
- Authorities tab -> Import
- Select your CA certificate and tick “Trust this CA to identify websites”
iOS
- Open the file and tap
Installwhen iOS offers to install a profile. Source: Apple- Go to Settings -> General -> VPN & Device Management and verify the profile is installed.
- Now enable trust:
- Settings -> General -> About -> Certificate Trust Settings
- Under Enable Full Trust for Root Certificates, enable your CA certificate.
This is device-specific, but once done, your browser treats it like a normal certificate.
My rule of thumb
Self-signed is great for: “I want HTTPS on my LAN today.”
If you want a smoother long-term setup (no warnings, fewer integration headaches), move to:
- a reverse proxy (Nginx Proxy Manager, Caddy, Traefik), and/or
- Let’s Encrypt (with a real domain), or
- a local CA approach for your home network
Leave a Reply