How to do that: Step by Step

A site by: Robert Baldwin

Protect HomeAssistant using CloudFlare mTLS

How to protect HomeAssistant using Cloudflare mTLS


Before you begin pick a new subdomain for the service you wish to protect by mTLS. For example ha-mobile.  We will use this later when configuring mTLS and the service public hostname. These instructions assume you already have a domain and subdomain configured with cloudflare and have already configured the tunnel. 


1) If you do not have OpenSSL, download OpenSSL.


Redhat/CentOS:

# yum install openssl

Ubuntu:

# sudo apt install openssl

Windows:

I used firedaemon's binaries found on the openssl.org list here: https://wiki.openssl.org/index.php/Binaries


Firedaemon's URL:

https://www.firedaemon.com/get-openssl


Click the Windows Start button and type "edit the system environment variables"

click "Environment Variables" button at bottom of window.


create new varible "OPENSSL_HOME" with value: C:\Program Files\FireDaemon OpenSSL 3

Edit path variable add new entry

"%OPENSSL_HOME%\bin"


REBOOT


Test openssl is installed and executable at the command prompt.


 openssl --version


Example Output:

C:\Windows\System32>openssl --version

OpenSSL 3.3.0 9 Apr 2024 (Library: OpenSSL 3.3.0 9 Apr 2024)



2) Go to the cloudflare dashboard (https://dash.cloudflare.com)  

3) Click on your domain

4) Generate a client certificate in Cloudflare

   4a) Click SSL/TLS on lefthand panel

   4b) Click Client Certficates

   4c) Click Create Certificate

   4d) Leave All values default and click Create. 

   4e) copy and paste the certificate into notepad and save it as cf.pem 

   4f) copy and paste the private key into notepad and save it as cf.key


5) Choose which host(s) you wish to enable mTLS

   ie: ha-mobile.example.com


6) Create an mTLS Rule by clicking "Create mTLS Rule"

   6a) Make it match the below rule. 

6b) Click Deploy


Return to the cloudflare dashboard https://dash.cloudflare.com

7) Goto your CloudFlare Tunnel Configuration by clicking  Zero Trust, then Network, then Tunnels 

8) Click the hamburger button on the far right of  your tunnel name and click Configure.

9) Click Public Hostname

10) Add a new Public Hostname ie: ha-mobile.example.com


The service is now secured by your client certificate and will be inaccessible from device which do not have your client certificate.  Next you will need to install that certificate on your mobile device.


11) We need to convert the certificate and key into a format that Android can import. 

Use the following command to convert these two files into a pfx file, which is can be imported into Android.

  openssl pkcs12 -export -out ha-mobile.pfx -inkey cf.key -in cf.pem

Note: You'll be prompted for a password.   Enter a password which you'll remember.  You'll be prompted for this password when importing the certificate    in the next step 13. 

12) Copy this file(ha-mobile.pfx) to your Mobile device's local storage or to Google Drive. 


13) Import the pfx file to your Android Device. 

Android 14+

Go to Settings -> Security & Privacy -> More Security & Privacy -> Encryption & Credentials -> Install Certficate -> VPN & app user certificate
then locate the file you transferred in the previous step.


 Be sure give the certificate a sensible name so that in the future you'll remembers what it is.

Note: You'll  be prompted for a password when importing the  pfx, enter the password you specified in step 11.
     

14) Configure HomeAssistant mobile app with your new URL https://ha-mobile.example.com you'll be prompted to select the certificate to use.  Select the certificate you imported in the prior steps.