Naming my LAN and self generating Internal SSL
-
What do you guys name your LAN?
I just changed mine to myDomainName.com so I can go to plex.myDomainName.com where plex is either the hostname or setup in the DNS forwarder of pfsense.
While this is cool I am trying to do this to solve a problem.I am running a few Proxmox nodes which all want a SSL cert for HTTPS or else chrome etc throws all kinds of warnings. Since none of these servers are accessible outside the LAN their is no need to get a real SSL cert, though I do have a few domain names.
Is it better to name my LAN some real TLD that I control (myDomainName.com) or something not resolvable like pcmofo.lan ?
I would like pfSense to be the CA and issue certs to any of my local servers that need a SSL cert. I'm not sure if the naming convention (.lan vs .com) etc will effect if this is successful or not or if Chrome will still complain.
-
Is it better to name my LAN some real TLD that I control (myDomainName.com) or something not resolvable like pcmofo.lan ?
If you have a public domain, use that along with some host overrides in your DNS. If you don't have a real domain then use a fake one like the one you mentioned.
-
I use local.lan - chrome will trust it just fine.
None of the devices I put the certs on.. My switches, my unifi controller web gui, pfsense, etc. All only viewed by devices I control and can trust the CA. Nice with this feature is you can use any domain you want and even rfc918 san entries so you can hit with rfc1918 address and still trusted.. Can not do that with ACME, etc.
You can set validity on the certs for YEARS.. So you don't have to worry about changing or renew them every few years, or 90 days like with ACME
-
I use local.lan - chrome will trust it just fine.
None of the devices I put the certs on.. My switches, my unifi controller web gui, pfsense, etc. All only viewed by devices I control and can trust the CA. Nice with this feature is you can use any domain you want and even rfc918 san entries so you can hit with rfc1918 address and still trusted.. Can not do that with ACME, etc.
You can set validity on the certs for YEARS.. So you don't have to worry about changing or renew them every few years, or 90 days like with ACME
I'm not sure if I understand everything. You have your lan set to local.lan, I got that. What/who is generating the SSL certs for you? rfc1918 with a san entry is exactly what I need to stop chrome from complaining. Are you using pfSense to create a CA and generate certs?
-
Yeah ca created in pfsense
-
…. So you don't have to worry about changing or renew them every few years, or 90 days like with ACME
@johnpoz : ACME gave me better : In theory the "90 days" or "few years" barrier is gone because cert renewing is fully automatized. Bonus are the wildcard certs.
True : a boatload of software is needed and the setup is everything but straight forward (free things are always paid, and the currency is knowledge). -
And when that auto renew fails? Or their methods of renew are not viable on the device in question.
And again - can you use whatever domain you want with acme - NO.. Can you use rfc1918 as SAN, NO..
ACME makes sense if the device is going to be be public where lots of users going to use it.. Or going to be used internal and you can not control what devices access it so you can set them to trust your CA, etc.
Wild card is of very limited use if you ask me.. Great for if you have multiple sites on a webserver sort of thing..
If you have a public domain and you want to use that internally - great.. I have multiple public domains, I don't want to use any of them internally.. Because they are not meant for that.. You run into the problem with internal/external resolution when using the same domain like that, etc.
-
Yeah ca created in pfsense
Thanks John I got it working. I setup an internal CA and an intermediate CA, issued myself certs from the intermediate CA, and was able to setup pfSense on SSL as well as download both the key and cert and import to other LAN servers.
I added both the internal ip 10.x.x.x and the FQDN server.myfakedomain.com
I did need to add the Internal CA and intermediate CA certs to the local computers as a trusted CA but once I did everything worked.
I don't think there is any other way around manually installing the CA certs on the local machines. It would be great if pfSense could somehow vouch for and install them.
-
If they are windows machines you could prob use group policy to deploy the CAs..
-
It would be great if pfSense could somehow vouch for and install them.
Sounds like a massive security liability to me. Like John said, use GPO.
-
It is way out of scope of what role your firewall should play in your network.. If you want something like that - you should run some soft of distro that is meant to be the end all everything for a small business… Something like ClearOS, it can be your DC in your AD network and your gateway and your file server, etc.. Prob roll out certs in out via gpo, etc.
Normally if your MS shop you would just use the MS CA stuff for your selfsigned certs.
If you have it where you want browsers to auto trust your certs then just use ACME...
-
Is there any kind of security worry if you take the internal-ca cert off the pfsense box and import it into a computer for example, so that the machine trusts anything presenting a cert that is issued by the pfsense box? Wouldn't generating a new cert thats issued by the internal-ca for the web-url (for example) to access the pfsense gui and trusting it be better then just installing the primary ca cert and trusting everything? Seems like someone could use this to generate new possibly fake certs.
Sorry for the newbish questions - I'm fairly new to doing this whole cert thing, and learning as I go. This is for my home, we have people at work that issue them for me :)
-
"Seems like someone could use this to generate new possibly fake certs."
So this someone has access to your CA on your copy of pfsense? You have bigger problems then them having your CA.. If your tinfoil hat is that tight.. Just move the key off and put in say a usb stick you have locked in your safe deposit box…
So your concern is someone going to exploit my pfsense box, and then use my CA info to generate certs so my browser will trust the fake website for my bank they also get me to go to some how.. Again if your concerned, move your key off your pfsense box so no certs can be generated with that CA.. Unless you put the key back, etc.
-
"Seems like someone could use this to generate new possibly fake certs."
So this someone has access to your CA on your copy of pfsense? You have bigger problems then them having your CA.. If your tinfoil hat is that tight.. Just move the key off and put in say a usb stick you have locked in your safe deposit box…
So your concern is someone going to exploit my pfsense box, and then use my CA info to generate certs so my browser will trust the fake website for my bank they also get me to go to some how.. Again if your concerned, move your key off your pfsense box so no certs can be generated with that CA.. Unless you put the key back, etc.
Oh no I'm not that worried, like I said I'm new to this whole cert thing. I'll just take the CA cert and put it on my machines then.
-
Is there any kind of security worry if you take the internal-ca cert off the pfsense box and import it into a computer for example, so that the machine trusts anything presenting a cert that is issued by the pfsense box? Wouldn't generating a new cert thats issued by the internal-ca for the web-url (for example) to access the pfsense gui and trusting it be better then just installing the primary ca cert and trusting everything? Seems like someone could use this to generate new possibly fake certs.
Sorry for the newbish questions - I'm fairly new to doing this whole cert thing, and learning as I go. This is for my home, we have people at work that issue them for me :)
No, the CA certificate is a public key, meant to be copied and transferred to anyone who wants to verify the authenticity of any certificate generated by that particular CA. The only entity that can generate certificates is that one that possesses the secret key of the CA, that's you on your pfSense system.
-
@kpa:
Is there any kind of security worry if you take the internal-ca cert off the pfsense box and import it into a computer for example, so that the machine trusts anything presenting a cert that is issued by the pfsense box? Wouldn't generating a new cert thats issued by the internal-ca for the web-url (for example) to access the pfsense gui and trusting it be better then just installing the primary ca cert and trusting everything? Seems like someone could use this to generate new possibly fake certs.
Sorry for the newbish questions - I'm fairly new to doing this whole cert thing, and learning as I go. This is for my home, we have people at work that issue them for me :)
No, the CA certificate is a public key, meant to be copied and transferred to anyone who wants to verify the authenticity of any certificate generated by that particular CA. The only entity that can generate certificates is that one that possesses the secret key of the CA, that's you on your pfSense system.
Ahh ok, Thanks. That explains it a lot better.
