Generating self-signed certificates

These instructions show how to generate self-signed ECC certificates using OpenSSL. Suitable for local development and testing — not recommended for production.

You can either create a self-signed server certificate or a CA-signed server certificate. Both secure the server with a valid certificate. The CA-signed approach provides better trust control for internal deployments where you need to manage multiple certificates.

Self-signed certificate

The server generates and signs its own certificate. Suitable for basic testing or small setups that do not require a Certificate Authority (CA).

Generate the server private key:

openssl ecparam -out server_key.pem -name secp256r1 -genkey

Generate the self-signed certificate (valid 365 days):

openssl req -new -key server_key.pem -x509 -nodes -days 365 -out server.pem

Add -subj '/CN=localhost' to suppress interactive prompts (replace localhost with your domain):

openssl req -new -key server_key.pem -x509 -nodes -days 365 -out server.pem -subj '/CN=localhost'

CA-signed certificate

Creates a local Certificate Authority to sign the server certificate. Recommended when you manage multiple certificates or need a dedicated CA for an internal deployment.

Generate the CA private key:

openssl ecparam -out ca_key.pem -name secp256r1 -genkey

Create the self-signed CA certificate (valid 365 days):
Terminal window
```
openssl req -new -x509 -key ca_key.pem -days 365 -out ca.pem
```

Generate the server private key:

openssl ecparam -out server_key.pem -name secp256r1 -genkey

Create a Certificate Signing Request (CSR) for the server:
Terminal window
```
openssl req -new -key server_key.pem -out server.csr
```
Sign the server certificate with your CA:
Terminal window
```
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca_key.pem -CAcreateserial -out server.pem -days 365
```
The -CAcreateserial flag creates a ca.srl file to track certificate serial numbers. Replace it with -set_serial <number> to specify the serial manually.

After completing these steps, use server.pem and server_key.pem in your ThingsBoard transport configuration. Import ca.pem into the trust store of any client that needs to verify the server certificate.

Certificate file placement

Certificate files must be accessible to the ThingsBoard process. Place them in the appropriate directory for your deployment platform:

Place the certificate files in /etc/thingsboard/conf/ with the same file permissions as thingsboard.conf. Use relative paths in the configuration variables:

export SSL_PEM_CERT=server.pem
export SSL_PEM_KEY=server_key.pem

Mount the directory containing your certificate files to /config inside the container. Use full paths in the configuration variables:

export SSL_PEM_CERT=/config/server.pem
export SSL_PEM_KEY=/config/server_key.pem

Mount the directory containing your certificate files to /https-config inside the container. Use full paths in the configuration variables:

export SSL_PEM_CERT=/https-config/server.pem
export SSL_PEM_KEY=/https-config/server_key.pem

Place the certificate files in C:\Program Files (x86)\thingsboard\conf\. Use relative paths in the configuration variables:

export SSL_PEM_CERT=server.pem
export SSL_PEM_KEY=server_key.pem