ACME: generating and managing LE-certs for internal web-services

  • I'd like to generate and manage LE-Certs for devices like switches and stuff with the pfsense-ACME-package.
    Now I think about how to do that. For the challenge-handshake I would need to setup DNS records for every hostname I use internally, right? Isn't that a bit of overkill and insecure?

    Maybe I miss the obvious solution, I am thankful for any clever hint here.

    And no, I would like to avoid wildcard cert(s)  ;)

  • LAYER 8 Global Moderator

    You use external public domain names on your internal devices?

    For your internal devices, like switches - which I assume only access by very limited number of yours..  Why not just use internal CA, built in to pfsense?

    This allows you to create any FQDN you want for your certs… I use local.lan for example.  And also allows use to use rfc1918 address space on your san so you can access your device via either fqdn and or rfc1918 and still have trusted cert.

    I do all my internal things that serve up some sort of webgui.. switches, unifi controller, pfsense itself, etc. etc..

    Another nice thing about it - is you can setup the cert to be trusted for like 10 years if you want ;)

  • Thanks for the reply.

    Maybe I over-complicate things but in this case it is a company network, 3+ sites connected via IPSEC-VPNs, and one external domain/TLD.
    So I would have to set up 3 CAs, one per site … and separate those local.lan FQDNs into site.local.lan or so?

    This leads to another issue: I'd like to be able to ask the DNS-forwarder of SiteB from Site-A: if I set up a new fixed DHCP-lease for a VM at SiteB, its hostname should be resolvable at the other sites without having to maintain this at every site.

    For now we have external names, yes. With sub-optimal success, yes ;-)

  • LAYER 8 Global Moderator

    Why would you need 3 CA's? Makes no sense.. You could have a 100 sites in your org, only 1 CA needed..

    Setup your dns correctly with different subdomain for each site, then setup domain overrides for your different domains and there you go all sites resolve everything through your site to site connections.

    You do understand 1 CA can sign off on certs for any domains you want right? Be it your public domain even. As long as you trust the CA anything it signs will be trusted.

  • @johnpoz I tried something like that already but didn't get the domain overrides to work.

    I have that sitea/siteb/sitec setup already but the DNS-overrides never worked. Maybe I missed some firewall-rules or so, I have to recheck things. Is it important to use DNS resolver or forwarder, or should that work anyway?

    The one central CA would "sit" on one pfsense only right? The distribution of the certs would happen manually?

  • LAYER 8 Global Moderator

    Have no idea what you tried. But simple domain override is all that is needed to be able to query a specific nameserver for fqdn, etc.

    Yes the certs would be issued manually. Where the CA sits means nothing - could be on your PC, could be in the cloud.. Just pointing out that pfsense comes with a simple to use gui to a CA.. Since you have pfsense, why not leverage its CA interface if you want to create certs for your devices that your going to trust.

    Does not matter if you used forwarder or resolver or even resolver in forwarding mode. Domain override would be the same.

  • OK, I watch some pfsense hangouts about DNS etc to learn more of the necessary basics.
    And then I will try to setup my internal CA etc / thanks so far

  • LAYER 8 Global Moderator


    I have multiple posts about on how to trust cert you created.. But with the change to new forum old pictures might be gone? If you need some help on how to trust your cert just ask.

  • @johnpoz status: I set up a Root-CA and a intermediate "Sub-CA" as shown on youtube.
    As far as I understand I now would have to import the Root-CA (and the Sub?) into each client (=PC) using all this.
    My Fedora 28 desktop does not like to import these crt-files ... I have to research that in more detail.

    And I tried to upload a generated cert and its key to a TP-Link switch, it accepted the cert but not the key.
    Tried a shorter one, failed as well.

  • LAYER 8 Global Moderator


    Personally I don't see the need for the intermediate in such a setup..

    Which tp-link switch do you have? Can you just create a CSR and sign it with your new CA? I have a cheap one on my shelf I could try.. My cisco sg300s were a bit picky as well on how to install certs. But the CSR was the easy way to do it.

    As to fedora... Where are you trying to install them - it would just be done in your browser to trust the CA. Doesn't really matter what OS the browser is running on. What browser are you using.

  • @johnpoz It's a TL-SG3424P and it does not allow creating a CSR, just upload key and cert. Didn't find specs for key length or so. I will retry in the next days ... thanks so far.

  • LAYER 8 Global Moderator

    Sorry I do not have one of those to play with or would for sure.. Let me see how much they cost.. Can always throw it in my lab for testing and helping others with same model and vlans and such.

    did you see this?

    The key you export from gui will be in base64 pem and rsa.. But maybe the switch doesn't like the .key ext vs .pem?

    BTW they are very pricey on amazon - even the non poe model. And its latest firmware is from 2015? Arrrgghh..

  • @johnpoz

    The link you posted looks promising, I will try that maybe tomorrow ...
    Ah, what the heck: tested that, works! thanks

    My customer bought TP-Link because they were cheap back then! ;-)

  • LAYER 8 Global Moderator


    So you just changed the extension to pem vs key. you should not have to run that through openssl - its not going to do anything because the key is already in the correct format.

    Glad you got it sorted... Make the certs good for 10 years so you won't have to dick with them again. And put SAN on them for IP while your at it would be my suggestion.

  • Yes, thanks for the suggestion.
    I plan to restructure my local DNS as well and will watch a pfsense hangout around this to maybe get an idea how to do that. After DNS works -> certs ;-)

  • LAYER 8 Moderator

    @sgw if you've got problem importing certs or CAs into things like switches etc. make sure which format they need. Some won't like normal PEM style format and want sth like PKCS8 or PKCS12 format. Others want key+cert in the same file. :)

Log in to reply