Add private CAs to certificate store

I and some other people ran into the problem that we’re using private certificate authorities in our networks but can’t (in my case with HassOS) or can only unsatifactorily (in the case of HomeAssistant Supervised as far as I can tell) add these CAs to HA’s certificate store to let it trust our devices.

HA is using certifi as certificate store right now, which doesn’t support the addition of certificates and so any changes made to its store are rolled back on reboot.

A persistent way to add certificates to HA’s store would be a welcome addition!
Since it’s a rather uncommon issue as it seems, I don’t think a UI-way is needed, but something like a folder in which .pem files can be placed to be trusted by HA would be great!

I would love to see this in HA as I am one of the “some other people” who is currently having various issues with functionalities within HA because of that. :+1:t2:

1 Like

Sign me up too, I’ll be living with hacking Core until this is in properly :slight_smile:

2 Likes

Same here, trying to connect my custom IoT devices to HASS in local network but do not want to rely only on wifi password security.

1 Like

Temp workaround here:
https://community.home-assistant.io/t/let-home-assistant-trust-a-personal-certificate-authority/184917/15

Another vote here. this would solve a lot of the issues I’m having as well. both IoT devices and services inside my home network is using a internal CA to comunicate. and this is a showstopper to use those services in HA.

1 Like

put me down for a +1

+1 here too. Spent a few hours setting up an internal CA only to break my HA integrations :frowning:

2 Likes

+1. I have pfSense router, which I use as a local certificate authority. Would like to issue HA a certificate, and have HA trust pfSense CA.

1 Like

Came here looking for answer to this, so I too would like to see just a simple way to store trusted CA certificates somewhere so that its certificates are also trusted.

1 Like

Solution for NixOS users (not an officially supported install method) is to provide packageOverrides to the home-assistant package, and concat the self-signed CA onto the certs provided by the certifi python package.

      packageOverrides = self: super: {
        certifi = super.certifi.overrideAttrs (oA: {
          prePatch = ''
            cat ${./my_root_ca_public_key.pem} >> certifi/cacert.pem
          '';
        });
      };

Another user maintaining a private CA, and HA will not allow for certificate checking any of the local devices and services! Please add some way to persistently incorporate this without havinf to have debug and docker knowledge!

Regards,
Paul

1 Like

Ended up here while trying to get the Nextcloud integration working with a self-signed certificate. As best I can tell, there isn’t an option to disable SSL verify for the Nextcloud intergration, but allowing the addition of a private CA would solve that issue nicely.

1 Like

Much needed, MEGA BUMP

1 Like

This is a must have feature. It’s great that HA tends to be security and privacy-focused. Having the ability to add custom CA’s would be cherry on top.

1 Like

:+1:

Same issue here, so please add this feature request for implementation for the 2023.01 release (party) :partying_face:

1 Like

Yes, please add a option to use own ca certifcates. My workaround until this is like described in Let Home Assistant trust a personal certificate authority - #21 by BusinessTux

1 Like

+1, super useful feature that seems like a must given the whole philosophy behind HA

1 Like

I use an internal CA for various VMs and appliances, my network supports WPA2/3 Enterprise as well with an internal RADIUS server. Having the ability to trust private CAs is very much in line with the tenets of local based control, I would also appreciate the utility of this feature request.

1 Like

Count me in. I have a private CA to keep passwords and API keys secret while making it easy for the wife to use. I would really like to be able to add my CA to the list of trusted CAs once and be done with it even if I have to go through the command line. We may be a relatively small section of the overall home automation community, but it just seems to fall in line with the whole idea of owning your home automation rather than it belonging to big tech.

1 Like