YOU STILL NEED ONE SSL CERTIFICATE (TRUSTED OR YOURSELF MADE, BUT VALID) TO MAKE HTTPS WORK!!!
Create one fake for you own (change the fileds accordingly):
/certificate add name=self-signed-certificate common-name=common-name country=it days-valid=365 key-size=2048 locality=locality organization=organization state=state trusted=yes unit=organization-unit subject-alt-name=DNS:my.local.net,IP:192.168.0.101,email:my@email.it key-usage=digital-signature,key-cert-sign,crl-sign;
/certificate sign template=self-signed-certificate ca-crl-host=192.168.0.101 name=common-name ca-on-smart-card=no;
and enable ip / service / www-ssl and set the service to use certificate “common-name”
and enable, on hotspot profile, login by https, selecting as certificate “common-name”
You can not remove browser warning.
If you buy one ssl certificate, buy it for 1.2.3.4, not for hs.pippo.com or when redirect warning appear.
But if IP are correct, all work without warning, because the certificate are for IP, not for DNS name…