The cause that triggered this question is my smart devices. I bought a batch of smart devices for my home a few years ago, then the supplier has released new products and no longer supports the old products. The devices are still very new, and the cost to renew these equipments is high, so I hope to continue using these devices by myself.
A local development environment is built to check the problem. It includes a DNS server and several fake HTTPS server. The gateway accessed my fake HTTPS server as expected, but it immediately interrupted the handshake. Wireshake captured the traffic, the client refused to accept server certificate at ClientHello step of TLS handshake.
Frame 205: 73 bytes on wire (584 bits), 73 bytes captured (584 bits) on interface \Device\NPF_{02345980-BC21-5641-123D-895432769A33}, id 0
Ethernet II, Src: 00:12:34:46:04:d2, Dst: 00:12:34:8e:ad:0a
Internet Protocol Version 4, Src: 192.168.1.183, Dst: 192.168.1.104
Transmission Control Protocol, Src Port: 47813, Dst Port: 443, Seq: 240, Ack: 985, Len: 7
Transport Layer Security
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Certificate Unknown (46)
The private key and the certificate for my fake HTTPS server is generated by myself, same as the guide from: How do you sign a Certificate Signing Request with your Certification Authority?
Generally speaking, if the HTTPS client allows to install own certificate, the problem can be solved, but most smart devices are cutting system that cannot to support certificate installation function at all, then there is no way to make self-signed certificate effective.
So my question is, is there any way to build own CA system in local development environment? For example, is it possible to find any expired CA private key to generate trusted certificate just in local development environment with some limitation, such as only valid on past time?
Any suggestions are welcome.