Naming my LAN and self generating Internal SSL
-
…. So you don't have to worry about changing or renew them every few years, or 90 days like with ACME
@johnpoz : ACME gave me better : In theory the "90 days" or "few years" barrier is gone because cert renewing is fully automatized. Bonus are the wildcard certs.
True : a boatload of software is needed and the setup is everything but straight forward (free things are always paid, and the currency is knowledge). -
And when that auto renew fails? Or their methods of renew are not viable on the device in question.
And again - can you use whatever domain you want with acme - NO.. Can you use rfc1918 as SAN, NO..
ACME makes sense if the device is going to be be public where lots of users going to use it.. Or going to be used internal and you can not control what devices access it so you can set them to trust your CA, etc.
Wild card is of very limited use if you ask me.. Great for if you have multiple sites on a webserver sort of thing..
If you have a public domain and you want to use that internally - great.. I have multiple public domains, I don't want to use any of them internally.. Because they are not meant for that.. You run into the problem with internal/external resolution when using the same domain like that, etc.
-
Yeah ca created in pfsense
Thanks John I got it working. I setup an internal CA and an intermediate CA, issued myself certs from the intermediate CA, and was able to setup pfSense on SSL as well as download both the key and cert and import to other LAN servers.
I added both the internal ip 10.x.x.x and the FQDN server.myfakedomain.com
I did need to add the Internal CA and intermediate CA certs to the local computers as a trusted CA but once I did everything worked.
I don't think there is any other way around manually installing the CA certs on the local machines. It would be great if pfSense could somehow vouch for and install them.
-
If they are windows machines you could prob use group policy to deploy the CAs..
-
It would be great if pfSense could somehow vouch for and install them.
Sounds like a massive security liability to me. Like John said, use GPO.
-
It is way out of scope of what role your firewall should play in your network.. If you want something like that - you should run some soft of distro that is meant to be the end all everything for a small business… Something like ClearOS, it can be your DC in your AD network and your gateway and your file server, etc.. Prob roll out certs in out via gpo, etc.
Normally if your MS shop you would just use the MS CA stuff for your selfsigned certs.
If you have it where you want browsers to auto trust your certs then just use ACME...
-
Is there any kind of security worry if you take the internal-ca cert off the pfsense box and import it into a computer for example, so that the machine trusts anything presenting a cert that is issued by the pfsense box? Wouldn't generating a new cert thats issued by the internal-ca for the web-url (for example) to access the pfsense gui and trusting it be better then just installing the primary ca cert and trusting everything? Seems like someone could use this to generate new possibly fake certs.
Sorry for the newbish questions - I'm fairly new to doing this whole cert thing, and learning as I go. This is for my home, we have people at work that issue them for me :)
-
"Seems like someone could use this to generate new possibly fake certs."
So this someone has access to your CA on your copy of pfsense? You have bigger problems then them having your CA.. If your tinfoil hat is that tight.. Just move the key off and put in say a usb stick you have locked in your safe deposit box…
So your concern is someone going to exploit my pfsense box, and then use my CA info to generate certs so my browser will trust the fake website for my bank they also get me to go to some how.. Again if your concerned, move your key off your pfsense box so no certs can be generated with that CA.. Unless you put the key back, etc.
-
"Seems like someone could use this to generate new possibly fake certs."
So this someone has access to your CA on your copy of pfsense? You have bigger problems then them having your CA.. If your tinfoil hat is that tight.. Just move the key off and put in say a usb stick you have locked in your safe deposit box…
So your concern is someone going to exploit my pfsense box, and then use my CA info to generate certs so my browser will trust the fake website for my bank they also get me to go to some how.. Again if your concerned, move your key off your pfsense box so no certs can be generated with that CA.. Unless you put the key back, etc.
Oh no I'm not that worried, like I said I'm new to this whole cert thing. I'll just take the CA cert and put it on my machines then.
-
Is there any kind of security worry if you take the internal-ca cert off the pfsense box and import it into a computer for example, so that the machine trusts anything presenting a cert that is issued by the pfsense box? Wouldn't generating a new cert thats issued by the internal-ca for the web-url (for example) to access the pfsense gui and trusting it be better then just installing the primary ca cert and trusting everything? Seems like someone could use this to generate new possibly fake certs.
Sorry for the newbish questions - I'm fairly new to doing this whole cert thing, and learning as I go. This is for my home, we have people at work that issue them for me :)
No, the CA certificate is a public key, meant to be copied and transferred to anyone who wants to verify the authenticity of any certificate generated by that particular CA. The only entity that can generate certificates is that one that possesses the secret key of the CA, that's you on your pfSense system.
-
@kpa:
Is there any kind of security worry if you take the internal-ca cert off the pfsense box and import it into a computer for example, so that the machine trusts anything presenting a cert that is issued by the pfsense box? Wouldn't generating a new cert thats issued by the internal-ca for the web-url (for example) to access the pfsense gui and trusting it be better then just installing the primary ca cert and trusting everything? Seems like someone could use this to generate new possibly fake certs.
Sorry for the newbish questions - I'm fairly new to doing this whole cert thing, and learning as I go. This is for my home, we have people at work that issue them for me :)
No, the CA certificate is a public key, meant to be copied and transferred to anyone who wants to verify the authenticity of any certificate generated by that particular CA. The only entity that can generate certificates is that one that possesses the secret key of the CA, that's you on your pfSense system.
Ahh ok, Thanks. That explains it a lot better.
