Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Guide] Setting Up Local HTTPS Domains with a Wildcard Certificate

Featured Replies

Guide: Setting Up Local HTTPS Domains with a Wildcard Certificate

Some applications (for example, Vaultwarden) require HTTPS to function properly — even when they are only accessed on your local network.

Using Let’s Encrypt for this is often difficult because it requires opening ports to the outside world. A more practical alternative is to create your own Root Certificate Authority (CA) and issue a wildcard certificate.

This guide will walk you through how to set it up step by step.


1. Requirements

  • Docker is installed and running.

  • A local DNS server (e.g. AdGuard Home) configured as the primary DNS in your router.

  • Nginx Proxy Manager (NPM) acting as a reverse proxy.

  • (Optional) A domain purchased from a provider like IONOS, which often includes a wildcard certificate. If you use that, you can skip creating your own Root CA.

Example setup in my home network:

  • AdGuard Home: 192.168.178.2

  • Nginx Proxy Manager: 192.168.178.3

  • Fritz!Box router: configured to use AdGuard Home as DNS server.


2. Creating a Root CA and Wildcard Certificate

Note: If you already purchased a wildcard certificate (e.g. from IONOS), you can skip this step.

2.1 Create a Root CA (one-time setup)

# Generate private key for the Root CA
openssl genrsa -out myCA.key 4096

# Create a self-signed root certificate (valid for 30 years)
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 10950 -out myCA.pem -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=Home Root CA"

Result: myCA.pem → This Root Certificate will need to be imported on all client devices later.


2.2 Create a Wildcard Certificate for *.home.lan

# Private key
openssl genrsa -out home.lan.key 2048

# Certificate signing request (CSR)
openssl req -new -key home.lan.key -out home.lan.csr -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=*.home.lan"

SAN configuration (create file home.lan.ext)

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.home.lan
DNS.2 = home.lan

Sign the certificate (valid for 10 years)

openssl x509 -req -in home.lan.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out home.lan.crt -days 3650 -sha256 -extfile home.lan.ext

Resulting files:

  • home.lan.crt → Wildcard certificate

  • home.lan.key → Private key

  • myCA.pem → Root CA


3. Import into AdGuard Home and Nginx Proxy Manager

3.1 Configure AdGuard Home (DNS rewrite)

  1. In the AdGuard Home dashboard, go to Filters → DNS Rewrites → Add DNS Rewrite.

  2. Domain name: e.g. vaultwarden.home.lan.

  3. IP address: the internal IP of Nginx Proxy Manager (e.g. 192.168.178.3).


3.2 Configure Nginx Proxy Manager (certificate and proxy host)

  1. In the NPM dashboard, go to SSL Certificates → Add SSL Certificate → Custom:

    • Name: *.home.lan

    • Certificate Key: upload home.lan.key

    • Certificate: upload home.lan.crt

    • Intermediate Certificate: upload myCA.pem

  2. Then go to Proxy Hosts → Add Proxy Host:

    • Domain Names: vaultwarden.home.lan

    • Scheme: http

    • Forward Hostname/IP: the Docker container IP (e.g. 192.168.178.60)

    • Forward Port: the container’s port (e.g. 8080)

    • Enable: Block Common Exploits and Websockets Support

  3. Under the SSL tab, select your custom certificate and tick all checkboxes (except HSTS Subdomains).

  4. Click Save → done.


4. Import the Root CA on Client Devices

Note: If you already purchased a wildcard certificate (e.g. from IONOS), you can skip this step.

For your browsers and devices to trust your certificates, you must import the Root CA (myCA.pem).

Windows

  1. Copy myCA.pem to the Windows machine.

  2. Double-click it → the Certificate Import Wizard will open.

  3. Choose Local Machine (requires Administrator privileges).

  4. Select Place all certificates in the following storeTrusted Root Certification Authorities.

  5. Finish the wizard. Windows will now trust all certificates signed by your Root CA.


Linux

Process depends on the distribution:

Debian / Ubuntu:

  1. Copy myCA.pem into /usr/local/share/ca-certificates/ (rename it with a .crt extension, e.g. myCA.crt).

  2. Update the trust store:

    sudo update-ca-certificates
    

Red Hat / Fedora / CentOS:

  1. Copy the file into /etc/pki/ca-trust/source/anchors/.

  2. Update the trust store:

    sudo update-ca-trust
    

Chrome / Chromium-based browsers

Chrome and Edge use the system certificate store by default. After following the Windows/Linux steps above, they will trust the certificate automatically.

If you prefer to import it only in Chrome:

  1. Open Chrome → Settings → Privacy and security → Security → Manage certificates.

  2. Go to the Trusted Root Certification Authorities tab.

  3. Click Import → select myCA.pem.

  4. Chrome now trusts your local wildcard certificate.


5. Tips & Notes

  • Avoid using .local domains! Some systems (e.g. Steam Deck) treat .local as reserved and won’t connect. Use .lan or .home instead.

  • Certificates longer than 1 year can cause issues with some services — if so, generate shorter validity periods.

  • Remote access: With a WireGuard VPN tunnel, you can also securely access your HTTPS services when away from home.

  • Docker compatibility: Some containers require HTTPS to run — this setup solves that problem.


Conclusion

With this method, you can run local HTTPS domains with your own wildcard certificate — without exposing any ports to the internet.

It’s a safe and flexible solution, especially for self-hosted services like Vaultwarden, Nextcloud, or other Docker containers that require HTTPS.

Edited by Pixelz_Namikaze
Fix: Remove the backslash and run everything in one line

  • 5 weeks later...

I have been working on setting this up but I have run into a problem. NGINX is on my custom docker network and adguard will not allow me to forward to an IP and Port #. So when I forward the request to my server IP I get the unraid home not forwarded onto the needed application. I could put NGINX on by br0 network but that would require a reconfiguration of all my IP's on my docker network since I am currently using host names. Do you have any suggestion for keeping NIGINX on my docker network while still being able to forward the adguard dns request for the container I am trying to hit?

  • 2 months later...

THIS is exactly what I have been looking for going on weeks. Before I get too excited, will Pi-hole which I already have installed work instead of using AdGuard home?

Also, when you state Docker is installed and running, do you mean the Docker container from the Unraid Community apps? Not sure how Docker comes into play.

When I run the syntax openssl req -x509 -new -nodes -key myCA.key -sha256 -days 10950 -out myCA.pem \ -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=Home Root CA" I keep getting req:Extra option "/".

I get the same error running openssl req -new -key home.lan.key -out home.lan.csr \ -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=*.home.lan"

I googled for an answer, but nothing specific has come up

Edited by RaidPC
add error message

  • Author
On 12/16/2025 at 1:03 AM, RaidPC said:

THIS is exactly what I have been looking for going on weeks. Before I get too excited, will Pi-hole which I already have installed work instead of using AdGuard home?

Also, when you state Docker is installed and running, do you mean the Docker container from the Unraid Community apps? Not sure how Docker comes into play.

When I run the syntax openssl req -x509 -new -nodes -key myCA.key -sha256 -days 10950 -out myCA.pem \ -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=Home Root CA" I keep getting req:Extra option "/".

I get the same error running openssl req -new -key home.lan.key -out home.lan.csr \ -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=*.home.lan"

I googled for an answer, but nothing specific has come up

It works completely fine for me using the Docker container from the Unraid Community Apps — there’s no need for any special setup. It also works perfectly with Pi-hole instead of AdGuard Home.

Regarding your second issue: Unraid, BusyBox, Alpine and some shells require one‑line commands.

Fix: Remove the backslash and run everything in one line

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 10950 -out myCA.pem -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=Home Root CA" 

That should prevent the req: Extra option "/" error.

I will adjust that in the guide, thank you for reporting the issue.

Edited by Pixelz_Namikaze

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.