SSL Certificates for Local IP address [Solved]
-
@jimp Thanks for the response! But are there post for doing this to an local ip without opening ports or linking it to an fqdn? I don't want to have my firewall open on the internet.
I'm sorry for the double post, i didn't know where to post it.
-
I would suggest that as well - IF the site was going to be access by browsers/machines not in your control. But since you stated
I don’t want to need to trust the certificate on every machine
This points to just admin user, or very limited access to the gui which is the norm on a security device ;)
So your own CA, that you trust is much better solution. You don't have to worry about split dns resolving some public dns to local IP, or hitting your wan IP from lan side. And you can set the cert to be valid for 10 years. So its a one time thing, and just forget. Also this allows for use of rfc1918 IP as SAN and still trusted if dns is not available and need to hit the gui.
Also comes with added benefit that if you trust this CA, you can then issue certs for all your other internal devices that have admin gui's via ssl. Your switches for example, your unifi controller, etc. etc.
-
@jessegroenendaal said in SSL Certificates for Local IP address:
therefore you need to portforward the local ip address right? If this is the only option it is ok. But are there any options without port forwarding/linking it?
You lost me on this - why would you think you need to port forward anything? Im on lan or any other opt local network. And hitting my web gui from admin network or lan. So pfsense name should resolve via your local dns (pfsense even).. Mine for example is sg4860.local lan. Or I can just hit via IP 192.168.9.253
Are you hitting this from public/wan side?
-
@johnpoz You're right, i could actually make a GPO for this on the administrators security group on the server. It would actually be way more secure! Thanks :)
-
If your using AD.. You can just use the AD CA, but to be honest it easier to just use the pfsense cert manager and setup CA there. If you wanted you could deploy this trusted CA via your GPO sure.
-
@johnpoz You are right, wasn't thinking about it.. Hitting the web-interface from the lan side so totally no needs to port forward.. . stupid me. Thanks for the help, i know enough for now! :)
-
Let me know if you need a picture walk thru, bouncing ball sort of thing ;)
-
@johnpoz Up to now i don't need it, already created some certs earlier but the problem was that i was searching for a "better" solution then trusting it on every machine. You've made me think differently about this, im going to setup a GPO for the cert i already have and it will be solved! :) Thank you very much!
-
@jessegroenendaal said in SSL Certificates for Local IP address:
@jimp Thanks for the response! But are there post for doing this to an local ip without opening ports or linking it to an fqdn? I don't want to have my firewall open on the internet.
With DNS based updates it doesn't need to be open to the Internet and it doesn't need to have a public A record. You setup a host locally so that you can resolve, e.g.
firewall.example.com
, on your local network. The ACME package would hit a DNS server and add a TXT record for the ACME challenge for that domain (_acme-challenge.firewall.example.com
) which gets removed at the end of the process.That's how my whole lab is setup. No external/public access or public A records, but valid certs from the ACME package.
-
Does that method also allow for rfc1918 IP san entries? Or for a use of domain that is not valid on the public via tld, like local.lan, or single label domains that many users are found of pfsense.localdomain as example
If so will have to play with this. But then again not too many switches and other devices have support for ACME that I have seen. Sot he local CA still has multiple advantages IMO.
-
@johnpoz said in SSL Certificates for Local IP address:
Does that method also allow for rfc1918 IP san entries? Or for a use of domain that is not valid on the public via tld, like local.lan, or single label domains that many users are found of
No, it can't have IP address SANs and must have a valid domain that exists in public DNS. The hostname doesn't need to be public, but the domain has to be registered/have name servers.
If so will have to play with this. But then again not too many switches and other devices have support for ACME that I have seen. Sot he local CA still has multiple advantages IMO.
Yeah, for that kind of thing it could be a PITA to constantly update them with the ACME cert since it wouldn't be automated. Local CA does win out in that scenario.