Looking for a TLS/SSL solution for internal home network / services

Hello! I'm trying to configure Traefik to use SSL/TLS certificates while using services on my internal home network. The single port I'd like to forward on my home router is for Wireguard, so that I can access all of my services using my internal DNS server.
So I have my laptop (let's say it's machine-a.lan) and I have my NUC (let's say it's machine-b.lan).
I'm already using a Dynamic DNS updater for Wireguard, but I don't want to have to rely on that public-facing address internally to use DNS validation.
From what I understand, port 80 and/or 443 need to be exposed on my home router, and I'd really rather not do that. I can't get anything to work.
As a last-ditch effort, I've tried mkcert, but the issue I'm facing is I'm not able to validate the store unless I'm doing something wrong. I'm trying to use a mkcert certificate for all of my home networking needs but each machine has its own certs. I wonder if they all need to be the same file, shared among every machine.

Either way, is there anything I can do to get SSL/TLS certs to work on my private network?

Have you considered creating your own Certificate Authority certificate and using it to sign certs for your website? You can then add the root cert for the CA to your devices to trust.

Thanks for your response!
If I'm not mistaken, isn't that what mkcert does?
Maybe I'm using it incorrectly then.
Do I need to copy the root cert from the source that's hosting the service to each device in order for it to trust them?
Is there any way to host an internal CA that validates all of my internal services?

I'm not familiar with mkcert. I use openssl

Certificate Authority
• Generate the CA private key and protect it with a password
openssl genrsa -aes256 -out rootca.key 2048

• Generate a root certificate signed with the key above (Valid for 10 years):
openssl req -x509 -new -nodes -key rootca.key -sha256 -days 3650 -extensions v3_ca -out rootca.crt -subj "/C=GB/ST=England/L=London/O=**YourOrganisationName**/OU=IT/CN=**UniqueNameforyourCA**"

Server Key and Cert Request:

• Generate the server certificate key
openssl genrsa -out mqtt-server.key 2048

• Generate the server certificate request (csr) (Common Name "CN" has to match your server address)
openssl req -new -sha256 -key server.key -out server.csr -subj "/C=GB/ST=England/L=London/O=**OrgName**/OU=IT/CN=**UniqueServerName**"

Sign the csr with the CA you created at the top
• Sign the Certificate with your CA
openssl x509 -req -in server.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -out server.crt -days 1825 -sha256

Make sure you add the rootca.crt to the trusted root certificate authority store of every device you own.

Thank you very much!
I ended up basically doing what you suggested, but using mkcert instead.
Is there any kind of encryption that could protect someone from stealing the cert and using it irresponsibly? Since it's a self-signed one, I assume it's the same as mkcert.
I will mark your answer as the solution because what I ended up needing to do was:

Thanks again!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.