Generate custom CA certificates for local domains/ipaddress


I am using mkcert to generate local certificates for private ips and domains
but the CA certificate generated by mkcert is by default of the local machine where mkcert is installed and OU and CN fields are generated as per the local machine hostname.

Is there a way (using mkcert or other application) to generate custom CA certifcates with organisation name or any other name??

You could just install pfsense in a vm and use that to create a cert. Feels like a sledgehammer to crack a nut though.

i did that… have pfsense running as firewall.
created a new CA
created a server certifcate for proxmox server with hostname and ip address.
installed server certificate in proxmox.
added CA certifcate in the windows trusted root CA authorities…
exited chrome and restarted chrome.
Still whenever i load proxmox, i get unsecure error.

please tell me what else i should do?

Are you accessing proxmox by ip address or fqdn. - It needs to be fqdn,

If you click on the ‘Not Sure’ to the left of the address , does the ssl certificate match your proxmox fqdn

1 Like

on the certifcate tab on proxmox tab, i am able to see the new certifcate.
i am still getting certificate not valid

also as i have included the ip address of the proxmox machine in alternate names i should be able to access https with ip address also

With SSL certificate you have to access the system via the fqdn name of the server.

SSL certificates hold the fqdn address within the ssl details , not server IPs. You will get untrusted error if you access via IP

What is common name (Issued to) within the SSL certificate, this is fqdn you need to access proxmox

Don’t you also have to import the cert into your browser too, I’m pretty sure.

If you have a local CA, it might go and fetch the cert., but not a guarantee.


yes i have added the local CA in the windows cert manager under third party trusted CA.

I think point 4 might be what you are missing

most probably,
i have already done the second part…added certificate in the trusted CA of windows
any idea what will be the equivalent in google chrome… for point number 4 - first part

also as a added note… i am not screwing with pfsense…
i am trying it with proxmox.

another issue -
TP link omada controller accepts JKS/PEM/PFX certificates…
pfsense does not create any of these…

any ideas??

You can use ACME in both pfsense and Proxmox to generate real trusted certificates from Let’s Encrypt to avoid this headache.

I am using ACME in pfsense to generate those certs for my servers that’s part of the HA Proxy. Works like a champ. You don’t even have to open any ports on the firewall. ACME can use other methods to verify that you’re the domain owner. I use Cloudflare to manage my domains.

Can you use ACME to generate .local, .LAN, etc. domains that are not registered with ICANN? If you can, I need a tutorial because I haven’t found a way to get certs. through Let’s Encrypt for local domains. I haven’t spent more than a couple hours on this subject, so I may have missed the process. Again, if possible someone please school me on this because it would help a huge amount.

No, it has to be a real domain that’s reachable on the internet. You can create something like and it’ll work fine long as you update the internal DNS to point to those servers internally.

From there you can make use of subdomains like and etc.

Thanks, that’s what I thought. My department keeps choosing names that we can’t register so I’m kind of stuck with local only naming. I need to set up a Windows CA which should push the certificates out to the clients (I think). All I need is time, after I fix the things that are broken!