How to Implement SSL?

Hi I have found instructions how to get SSL certifcates created . I have private.key ,private.key.nopassword and server.crt and server.csr used to get this.

I have put the private (stuff) in etc/ssl/private and the server.crt in /etc/ssl/certs

But has zero effect when I open Octoprint , shows as insecure and https://octoprint.local kicks up messageof insecurity

NET::ERR_CERT_AUTHORITY_INVALID
Subject: octopi

Issuer: octopi

Expires on: 23 Sep 2029

Current date: 10 Feb 2020

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIC0DCCAbigAwIBAgIUD17W3r36jffEnlmV4drD+yuy2q4wDQYJKoZIhvcNAQEL
BQAwETEPMA0GA1UEAwwGb2N0b3BpMB4XDTE5MDkyNjAwMjUyN1oXDTI5MDkyMzAw
MjUyN1owETEPMA0GA1UEAwwGb2N0b3BpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAtaFNPxf8u9xs1t5sYsd0uqvqc8OJwsfMKnZ7zWkkytUHtRTvWIG9
iPnBCw7Fvc89zdpHYdwn+17qx5uzMuoaACHO9hvF1cWCAmfuvZa/Ufy09TCSCy34
bStNTnIVkoWn1sVcyWwVb1lC0qzNiiy+rW7J2relBrfQhlcQ+R3xLr1QvDYWqY52
BX3gRt60OP8BzTevZH19CkRjQAZV/gOs4B0Tt8DcZUaIPPu6LKl1naM8NahHC7G1
V9c8BZMpaIJRpdRUrmuLZ8A575sateMNv6V9hDe9S6Y8x7U+0puiqSVGD4Hf5qTK
cZvxrbzl6kxpG+9K+lB4/hB4YB1XZhpFGwIDAQABoyAwHjAJBgNVHRMEAjAAMBEG
A1UdEQQKMAiCBm9jdG9waTANBgkqhkiG9w0BAQsFAAOCAQEARuw06aV1lKRoHko4
isgRyZBBoutik984TIMaW/8HUB+ifH6soSzDW1/DMaQOAmYE2IQhZk41VTIl0XEp
Y3/BUbXE8WhAdY4GHbIyWicDSbeb/fxFH7b4CLmXDIYmb3+a+DrlwDwQZw/3cSrs
qCxWWvdnEIIQybneltiOyydYtbYFZeLjo5INycJKP/scvN4mMnJNhMQWgjjaims9
NFxymzaNm8DlTC5z9sNYzs7panjYgzJbLnD5jWUa8C+q4jJdMPxDrTpLrE6kLznZ
HQjEgDRkJo8TZci5muixlfvY8jfI9lcqyGSh1Ei7i5asP3BNwG4+OlXfxteGP8HP
vX8TXg==
-----END CERTIFICATE-----

I am sure there are other steps here to implement the SSL certificates I created but can find no clues on how to do this.

So you're basically using a self-signed certificate based on the error message. What you need to do is import your server.crt file into your trusted root certificate authorities on your machine(s) accessing the pi. Details can be found on my how-to for that almost at the end of my post linked below.

I did as you suggest and added server.crt to Trusted Root Certificates Authorities . It has changed the message but still fails. I have the feeling The server.crt I made is under my name not FQDN. So I wonder what Certificate this is refering to ? Maybe I need to find another certificate on my octopi machine ?

Your connection is not private

Attackers might be trying to steal your information from octopi.local (for example, passwords, messages or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID

Subject: octopi

Issuer: octopi

Expires on: 23 Sep 2029

Current date: 10 Feb 2020

PEM encoded chain:-----BEGIN CERTIFICATE-----
MIIC0DCCAbigAwIBAgIUD17W3r36jffEnlmV4drD+yuy2q4wDQYJKoZIhvcNAQEL
BQAwETEPMA0GA1UEAwwGb2N0b3BpMB4XDTE5MDkyNjAwMjUyN1oXDTI5MDkyMzAw
MjUyN1owETEPMA0GA1UEAwwGb2N0b3BpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAtaFNPxf8u9xs1t5sYsd0uqvqc8OJwsfMKnZ7zWkkytUHtRTvWIG9
iPnBCw7Fvc89zdpHYdwn+17qx5uzMuoaACHO9hvF1cWCAmfuvZa/Ufy09TCSCy34
bStNTnIVkoWn1sVcyWwVb1lC0qzNiiy+rW7J2relBrfQhlcQ+R3xLr1QvDYWqY52
BX3gRt60OP8BzTevZH19CkRjQAZV/gOs4B0Tt8DcZUaIPPu6LKl1naM8NahHC7G1
V9c8BZMpaIJRpdRUrmuLZ8A575sateMNv6V9hDe9S6Y8x7U+0puiqSVGD4Hf5qTK
cZvxrbzl6kxpG+9K+lB4/hB4YB1XZhpFGwIDAQABoyAwHjAJBgNVHRMEAjAAMBEG
A1UdEQQKMAiCBm9jdG9waTANBgkqhkiG9w0BAQsFAAOCAQEARuw06aV1lKRoHko4
isgRyZBBoutik984TIMaW/8HUB+ifH6soSzDW1/DMaQOAmYE2IQhZk41VTIl0XEp
Y3/BUbXE8WhAdY4GHbIyWicDSbeb/fxFH7b4CLmXDIYmb3+a+DrlwDwQZw/3cSrs
qCxWWvdnEIIQybneltiOyydYtbYFZeLjo5INycJKP/scvN4mMnJNhMQWgjjaims9
NFxymzaNm8DlTC5z9sNYzs7panjYgzJbLnD5jWUa8C+q4jJdMPxDrTpLrE6kLznZ
HQjEgDRkJo8TZci5muixlfvY8jfI9lcqyGSh1Ei7i5asP3BNwG4+OlXfxteGP8HP
vX8TXg==
-----END CERTIFICATE-----

Help improve Chrome security by sending URLs of some pages that you visit, limited system information and some page content to Google. Privacy Policy

Yeah, the common name of your server cert has to be either the ip address of the server or the FQDN. It all depends on how you access the web interface.

To the best of my knowledge certs can't be for *.local addresses, for what it's worth.

But since I have myJS.io as a domain name, I could issue a public DNS A record for octopi.myJS.io to my private IP address, do the cert for that FQDN and it would work fine for me internally over HTTPS/SSL.