Mark Dain I've been playing around in OpenSSL all day and I finally got it to make a CA and a certificate. SSL labs seems happy aside from the untrusted root and "incomplete chain". Now I can sign certificates on the fly that all my devices will accept (including my phone)! Not sure how to solve the chain problem though.

Dave Walk One of our vendors had an incomplete chain problem this week and it caused our NodeJS client to their API (backed by OpenSSL) to throw an "UNTRUSTED" error so you should probably fix that. Unfortunately I dont remember how I've dealt with that in the past and handling SSL certs may be one of the most annoying things ever.

Mark Dain I would if I knew how, this is completely done by me ( gist.github.com/an... ). I'm starting to think it may be because an SSL cert (leaf node?) can't come directly from the CA so I'll try creating an intermediary and see if that works. Otherwise I'm getting fantastic scores on SSL test (0/100/100/90). This is for strictly internal stuff so if I can't fix it, it's not so bad as all my devices seem to be ok with the server. I'd like to get an A+ though!