Native HTTPS Support with Built-in Self-Signed Certificate Management

Feature Requests
1

Hi team,

I’d like to propose a feature that brings native SSL/TLS support directly into the Home Assistant Core, including a built-in mechanism for generating and managing self-signed certificates.

:jigsaw: Problem

Currently, to secure Home Assistant with HTTPS, users must rely on:

  • A reverse proxy setup (e.g., Nginx, Caddy)
  • External services like Let’s Encrypt, which require DNS access and internet exposure
  • Manual import of custom certificates

This introduces significant complexity and a steep learning curve, especially for users who:

  • Want secure access only within their local network
  • Rely on VPNs, Tailscale, or internal-only deployments
  • Are privacy-conscious and prefer not to expose Home Assistant to the public internet

:bulb: Proposed Solution

Add native HTTPS support, allowing users to enable encryption without external proxies, and generate valid (albeit self-signed) certificates directly from the Home Assistant instance.

Key features:

  • Option to enable HTTPS directly in configuration.yaml:

yaml

http:
  ssl: true
  ssl_mode: selfsigned  # options: selfsigned, custom, disabled
  ssl_custom_certificate: /config/ssl/mycert.pem
  ssl_custom_key: /config/ssl/mykey.pem
  • Secure certificate generation with modern crypto (e.g., RSA 2048+, SHA-256)
  • Automatic renewal and rotation of self-signed certificates
  • Optional export as .crt or .mobileconfig to ease trust installation on mobile/desktop devices
  • UI support to inform users how to install the certificate on their browser or mobile OS

:closed_lock_with_key: Why it’s better than current methods

Feature Current State With Proposed Feature
HTTPS locally :x: Needs proxy or Let’s Encrypt :white_check_mark: Native support
Requires internet :white_check_mark: Yes (Let’s Encrypt) :x: No (fully offline possible)
Ease of setup :x: Manual + proxy complexity :white_check_mark: One-line config or UI toggle
Ideal for VPN users :x: :white_check_mark:
New user friendliness :x: :white_check_mark:

:rocket: Benefits

  • Improves security out of the box
  • Makes Home Assistant more approachable and private
  • Reduces dependencies and complexity
  • Aligns with Home Assistant’s privacy-first automation philosophy

Thanks for considering this feature — it would be a great improvement for privacy-aware and local-only deployments.

2

Hello fhgprofeta2008

So, Nabu Casa?

3

Nabu Casa does not provide local https.

2 Likes
4

Totally agree — and that’s why native local SSL support would be a great gain for internal network security. :+1:

2 Likes
5

I had not considered that, or ever found a use for it either…

6

Would this mean HA generates cert for *.local or similar?

7

yep, for homeassistant.local

1 Like
8

I’m in the same boat, I have no interest in exposing my network to the internet. I prefer to maintain a VPN connection when away from home. I am just now starting to deal with issues where I can’t use a addon properly because it’s integration into home assistant requires https to play well in an iframe using a webpage dashboard. Can someone point me in the direction of what I need to do to get my self signed certificate setup and switched over to https please

9

I setup caddy and have it generate certs for my local domain. There are no open ports to web

Caddy has web access for cert provisioning.
Most of my services have zero access to internet unless it is required for normal function.

10

Caddy? Don’t see it in add-ons or hacs.

11

Sorry, I use docker not addons
I see addons available but not in HACS.

Also. It uses letsencrypt to generate certs which generally wants an open port. There are caddy modules (like cloudflare)that allow cert creation without opening ports. This is what I use

12

Ok, so I have haos on my pi running the letsencrypt addon. It has successfully generated a cert for my domain name that I have registered using the DNS API method. I wanted to use my domain name for internal resolution instead of IP addresses. I have my local dns servers configured to point to the static IP of my ha server. This works fine when I tailscale into my network remotely but still does not work for https. What could I be missing? Does the letsencrypt addon put the cert in play on ha or do I need to do that myself in yaml somewhere? When I do a port scan of ha it shows 443 is listening but when trying to connect it just hangs waiting for a response.

13

Ok, my fault for overlooking that I need to put the SSL paths in configuration.yaml. Everything seems to be resolving internally using the cert now. Thx for the help. Sometimes it just takes a little nudge to reread everything lol