How to set up secure connection with SSL for Intranet use only?

I want to secure the connection to with SSL. I do use it only within my private network. To access it from outside I use a vpn connection through my router (FritzBox). How do I create a ssl certificate for this purpose? I only found explanations using domains or subdomains what will not work in my is running in a virtual machine on my synology NAS.

There are several kinds of connections that can be secured with SSL, but also several ways to do it and not all connections support all ways.

Most connections require a domain certificate, which means you can not secure an IP address that way.

If you want to use public domain certificates, like let’s encrypt, then you need a public domain name too.

I thought of securing the connection to, as I have it when I log on my NAS or my router (fritzbox).

There are two ways then.
A public certificate or a selfsigned one.
The public, like f.ex. let’s encrypt, takes a bit to setup and maintain, but makes it easy to connect with a browser.
A selfsigned is somewhat easy to setup and you can make it valid for a really long time, but the downside is that browsers can not validdare it, so you need to accept it on every new browser that connects.

THX, How do I create a selfsigned certificate? I hava running home assistant in a VM on my synology. I am using win10 on my PC. Can I create the certificates on my PC and copy them to via samba file share? Or do I have to create them directly on my VM via console? I did hat so many looks on differnet how to´s but it is not clear to my and I do need some help on this.

You probablt have to start at, since it’s there the service is running.
I do not have that setup and I run my own CA, which is a completely different beast.

I just want to enalble https. On my Synology NAS or my router I can activate it. I do not want to handle with CA´s or make it available from outside, because I am accessing it via VPN. I need a way to create the fullchain.pem, if this works for waht I plan.

The fullchain is a file that contains the public certificate part and the chained certificates all the way to the root CA.
With a selfsigned there is no chain, so you have to accept it as it is.

The problem is that a certificate consist of two parts, a public and a private.
The private part is the one you need to be able to install it on a server, so it can begin to authenticate itself with the public part.

Some services make this process automatically when you enable SSL in them, but if they do not offer a way to export the private part, then a certificate can not be moved away from that service.

This guide seems to still be working for a selfsigned certificate, bit the warnings are also still true.

Thanks. I have seen this. But as far as I understand I do have to handle with DNS, CA and all this. I tought of an easier solution. When I do look at openhab, it is implemented much easier:

On the very first start, openHAB generates a personal (self-signed, 256-bit ECC) SSL certificate and stores it in the Jetty keystore (in $OPENHAB_USERDATA/etc/keystore). This process makes sure that every installation has an individual certificate, so that nobody else can falsely mimic your server. Note that on slow hardware, this certificate generation can take up to several minutes, so be patient on a first start - it is all for your own security.

A selfsigned certificate do not need it.
Follow the guide on the page and do not follow the links to let’s encrypt or other sites.

Well, besides the opensll link that is. :wink: