← hausdoerfer.dev / blog
🇩🇪 DE
Homelab XCA is a free GUI tool for running your own PKI in a homelab. Manage Root CA, Intermediate CA and TLS certificates easily – no CLI overhead required. 2026-03-04T00:00:00.000Z 8 XCA,PKI,Zertifikate,TLS,CA,Homelab,Self-hosted,Security
← All Posts
Homelab

XCA: The All-in-One Solution for PKI and Certificate Management in Your Homelab

XCA is a free GUI tool for running your own PKI in a homelab. Manage Root CA, Intermediate CA and TLS certificates easily – no CLI overhead required.

March 4, 2026 8 min read
XCAPKIZertifikateTLSCAHomelabSelf-hostedSecurity

TL;DR: XCA is a free, cross-platform GUI tool for building a complete PKI – Root CA, Intermediate CA, TLS certificates. Everything lives in a single SQLite database that’s easy to back up. No OpenSSL command-line chaos, no server overhead. Perfect for homelabs that want to properly secure internal services with TLS.

Anyone running multiple services in their homelab – Proxmox, Nextcloud, Authentik, Gitea, Traefik – eventually hits the point where self-signed certificates become a pain. Browser warnings, no chain of trust, no central management. The clean solution is your own PKI with a Root CA you trust once, and Intermediate CAs that issue the actual certificates.

That sounds like a lot of OpenSSL fumbling. It doesn’t have to be, if you use XCA. XCA (X Certificate and Key management) is an open-source tool with a graphical interface that maps exactly this workflow – without having to look up OpenSSL syntax every single time.

What Is XCA and Why Not Just Use OpenSSL?

XCA is a Qt-based desktop application available for Windows, macOS, and Linux. It manages certificates, private keys, Certificate Signing Requests (CSRs), and Certificate Revocation Lists (CRLs) in a single encrypted SQLite database.

The advantages over raw OpenSSL:

  • No command-line syntax to memorize – everything through dialogs
  • Templates for recurring certificate types (server, client, CA)
  • Full CA hierarchy in a single file
  • Export to all common formats: PEM, DER, PKCS#12, PKCS#8
  • Portable – the database file is the entire PKI system

Alternatives like easy-rsa or direct OpenSSL scripts work too, but the cognitive overhead is significantly higher. For a homelab where you’re not issuing certificates daily, XCA is the more pragmatic choice.

Installation

XCA is available in most package repositories or directly as a binary from the official website.

Debian/Ubuntu:

sudo apt update && sudo apt install xca

Arch Linux:

sudo pacman -S xca

macOS (Homebrew):

brew install --cask xca

Windows: Download the installer directly from hohnstaedt.de/xca.

After launching, create a new database via File → New DataBase. This .xdb file is the heart of your PKI – back it up regularly, ideally encrypted on an external medium or in a password manager vault.

Building the PKI Hierarchy: Root CA and Intermediate CA

A clean PKI structure for a homelab looks like this:

Root CA (keep offline)
└── Intermediate CA (for day-to-day work)
    ├── server.homelab.local
    ├── nextcloud.homelab.local
    └── *.homelab.local

The Root CA should stay offline as much as possible – meaning the XCA database lives on a secure medium, not on a running system. The Intermediate CA handles day-to-day certificate issuance.

Creating the Root CA:

  1. Tab CertificatesNew Certificate
  2. Subject: CN = Homelab Root CA, O = Homelab, C = US
  3. Extensions: CA:TRUE, pathlen:1 (allows one level of Intermediate CAs)
  4. Key Usage: Certificate Sign, CRL Sign
  5. Key length: RSA 4096 or EC P-384
  6. Validity: 10–20 years

Creating the Intermediate CA:

  1. Again New Certificate, this time signed by the Root CA as issuer
  2. Subject: CN = Homelab Intermediate CA
  3. Extensions: CA:TRUE, pathlen:0 (cannot issue further CAs)
  4. Key Usage: Certificate Sign, CRL Sign
  5. Validity: 5 years

XCA displays the CA hierarchy as a clear tree structure.

Templates for Fast Certificate Issuance

Before issuing the first server certificate, it’s worth setting up templates. XCA supports this under the Templates tab.

A template for TLS server certificates contains:

  • Key Usage: Digital Signature, Key Encipherment
  • Extended Key Usage: TLS Web Server Authentication
  • Basic Constraints: CA:FALSE
  • Subject Alternative Name: placeholder adjusted per certificate
  • Validity: 365–825 days (browsers reject anything over 825 days)

A client auth template for VPN or mTLS:

  • Extended Key Usage: TLS Web Client Authentication
  • Validity: 1–2 years

With templates, issuing a new certificate comes down to: load template → set CN and SAN → sign with Intermediate CA → export. That takes under two minutes.

Templates store all extension and key usage settings for repeatable certificate issuance.

Issuing and Exporting a Server Certificate

Concrete example: TLS certificate for nextcloud.homelab.local.

  1. Tab CertificatesNew Certificate
  2. Load template TLS Server
  3. Issuer: Homelab Intermediate CA
  4. Subject: CN = nextcloud.homelab.local
  5. ExtensionsSubject Alternative Name: 
    DNS:nextcloud.homelab.local
DNS:nextcloud
IP:192.168.10.50
  6. Validity: 365 days
  7. Generate new key: RSA 2048 or EC P-256

Subject Alternative Names are critical – without a matching SAN, modern browsers will reject the connection.

After creation, export:

  • Certificate (PEM): for the web server
  • Private Key (PEM, unencrypted): for the web server
  • CA Chain (PEM): Intermediate + Root, for the full chain
  • Optionally PKCS#12: if the application expects a bundle
# Copy certificate and key to the server
scp nextcloud.homelab.local.crt nextcloud.homelab.local.key user@nextcloud:/etc/ssl/private/

# Traefik example: include certificate in dynamic config
# tls/certs.yml
tls:
  certificates:
    - certFile: /certs/nextcloud.homelab.local.crt
      keyFile: /certs/nextcloud.homelab.local.key

Trusting the Root CA in Systems and Browsers

The Root CA certificate needs to be imported as trusted once – on all clients that access internal services.

Linux (system-wide):

sudo cp homelab-root-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Windows (GPO or manual):

# As Administrator
Import-Certificate -FilePath homelab-root-ca.crt -CertStoreLocation Cert:\LocalMachine\Root

macOS:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain homelab-root-ca.crt

Firefox has its own certificate store: Settings → Privacy & Security → Certificates → View Certificates → Authorities → Import.

After import, browser warnings disappear for all services signed by your own CA – provided the SANs match.

Conclusion

XCA is exactly the right tool for homelabs that want to run their own PKI without fighting through OpenSSL man pages. The combination of a graphical interface, templates, and a portable database file makes the workflow significantly more pleasant than pure CLI solutions.

The key points: keep the Root CA offline, use the Intermediate CA for day-to-day work, create templates, and back up the .xdb file regularly. That gives you a solid PKI foundation that will serve a homelab for years – without monthly costs for external certificates or the overhead of a full CA server like EJBCA or Vault.

For automated certificate issuance in larger environments, it’s worth looking at HashiCorp Vault with the PKI Secrets Engine or Step-CA – but that’s a topic for another post.

Sources