Example scripts to generate TLS certificates for home automation scenarios. The .bat files can be run on a Windows system with OpenSSL installed.
- Edit the
req_distinguished_nameandalt_namessections of the Certificate Authority configuration fileca.cnf - Generate the Certificate Authority using a CA script, such as
ca-2048.bat - For endpoint certificates, copy matching files such as
server.cnfandserver-2048.bat, edit the copied.cnffile to update thereq_distinguished_nameandalt_namessections, edit the copied.batfile to reference the new.cnffile, and then run that.batscript to generate the endpoint certificate - Repeat the previous step for each endpoint or IOT device that needs a certificate
Small IOT devices often lack the computing power needed to quickly process encryption using 2048-bit or 4096-bit certificates. 1024-bit certficiates are more efficient for such devices while still being secure. At the time of this writing, there are no known exploits for 1024-bit encryption. So, while 1024-bit certificates should never be used on the Internet or other public networks, they are still perfectly viable for isolated networks such as residential or home lab scenarios.
Carefully consider your security requirements before generating and using TLS certificates.
Larger devices and servers that have more computing power should use at least 2048-bit certificates. Any devices connected to the Internet should also use 2048-bit certificates, including IOT devices.