Marcel Bootsman

Add a self-signed SSL certificate to Home Assistant (local HTTPS)

Home Assistant

Written by

Marcel Bootsman

in

on

I wanted HTTPS on my Home Assistant UI, even on my local network. Not because I love extra work, but because browsers, apps, and integrations increasingly assume TLS is the default. A self-signed certificate is a quick way to enable HTTPS without needing a domain name or a public certificate.

This guide sets up Home Assistant to serve HTTPS using a self-signed certificate.

If you want the “no warnings” experience, use a proper local CA (like mkcert) or Let’s Encrypt via a domain + reverse proxy. But for “I just want HTTPS now”, self-signed is fine.

Step 1: Create a self-signed certificate

Generate the certificates directly in Home Assistant Terminal (if you have it).

If you have the Terminal & SSH add-on and can access a shell, you can run the following commands there. Just make sure you place the files in /ssl.

On your Home Assistant Terminal:

openssl req -new -x509 -days 3650 -nodes -keyout ssl/homeassistant.key -out ssl/homeassistant.crt

When asked for “Common Name”, use the hostname you browse to, for example:

  • homeassistant.local
  • assistant.home
  • or the IP address (less ideal, but works for many local setups)

You will end up with:

  • homeassistant.key
  • homeassistant.crt

Step 2: Configure Home Assistant to use SSL

Edit your configuration.yaml and add (or update) the http: block:

http:
  ssl_certificate: /ssl/homeassistant.crt
  ssl_key: /ssl/homeassistant.key

Save the file.

Now restart Home Assistant (Settings -> System -> Restart).

Step 3: Test HTTPS

After the restart, open:

  • https://<your-home-assistant-hostname>:8123

Example:

  • https://assistant.home:8123

You will almost certainly get a browser warning like “Your connection is not private”. That is expected with self-signed certificates.

Proceed anyway (usually “Advanced” -> “Continue”).

Step 4: Make the warning less annoying (optional)

Trust the certificate on your own devices

If you import the .crt file into your OS trust store, your browser will stop complaining.

  • On Linux (varies per distro) you typically add it to your local CA store.

This is device-specific, but once done, your browser treats it like a normal certificate.

My rule of thumb

Self-signed is great for: “I want HTTPS on my LAN today.”

If you want a smoother long-term setup (no warnings, fewer integration headaches), move to:

  • a reverse proxy (Nginx Proxy Manager, Caddy, Traefik), and/or
  • Let’s Encrypt (with a real domain), or
  • a local CA approach for your home network

Share on Mastodon

About Marcel Bootsman

Marcel discovered the web in 1995. Since then he has paid attention to and worked with lots of technologies and founded his own WordPress oriented business nostromo.nl in 2009.

Currently Marcel is Partnerships & Community Manager EMEA at Kinsta. where he helps clients and partners grow with their business with Managed Hosting for WordPress.

You can contact Marcel on a diverse range of online platforms. Please see the Connect section on the homepage for the details.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts