SSL Certificates for Local IP address [Solved]

johnpoz

This has been gone over multiple times. Create an actual CA on pfsense, not just the selfsigned cert that is generated on install. Create your cert with the fqdn you want, and any SAN you might also want to use like IP. Then trust this CA in the browser/machine you want to access the gui from.

I have posted multiple threads on doing this with pictures - problem is the pictures may have been lost in the forum upgrade - if you need I can redo the pictures..

jimp

Or if you have a domain with DNS hosted by a provider that is supported by the ACME package, use it to obtain a valid certificate for your firewall's hostname in that domain.

There are plenty of posts on the forum about these topics, though.

[Also, I removed your double post to another category, there is no need to cross-post topics here]

JesseGroenendaal

@johnpoz Thanks for the quick response! :). I know how to do that, but then you need to link it to an fqdn and therefore you need to portforward the local ip address right? If this is the only option it is ok. But are there any options without port forwarding/linking it?

JesseGroenendaal

@jimp Thanks for the response! But are there post for doing this to an local ip without opening ports or linking it to an fqdn? I don't want to have my firewall open on the internet.

I'm sorry for the double post, i didn't know where to post it.

johnpoz

I would suggest that as well - IF the site was going to be access by browsers/machines not in your control. But since you stated

I don’t want to need to trust the certificate on every machine

This points to just admin user, or very limited access to the gui which is the norm on a security device ;)

So your own CA, that you trust is much better solution. You don't have to worry about split dns resolving some public dns to local IP, or hitting your wan IP from lan side. And you can set the cert to be valid for 10 years. So its a one time thing, and just forget. Also this allows for use of rfc1918 IP as SAN and still trusted if dns is not available and need to hit the gui.

Also comes with added benefit that if you trust this CA, you can then issue certs for all your other internal devices that have admin gui's via ssl. Your switches for example, your unifi controller, etc. etc.

johnpoz

@jessegroenendaal said in SSL Certificates for Local IP address:

therefore you need to portforward the local ip address right? If this is the only option it is ok. But are there any options without port forwarding/linking it?

You lost me on this - why would you think you need to port forward anything? Im on lan or any other opt local network. And hitting my web gui from admin network or lan. So pfsense name should resolve via your local dns (pfsense even).. Mine for example is sg4860.local lan. Or I can just hit via IP 192.168.9.253

Are you hitting this from public/wan side?

JesseGroenendaal

@johnpoz You're right, i could actually make a GPO for this on the administrators security group on the server. It would actually be way more secure! Thanks :)

johnpoz

If your using AD.. You can just use the AD CA, but to be honest it easier to just use the pfsense cert manager and setup CA there. If you wanted you could deploy this trusted CA via your GPO sure.

JesseGroenendaal

@johnpoz You are right, wasn't thinking about it.. Hitting the web-interface from the lan side so totally no needs to port forward.. . stupid me. Thanks for the help, i know enough for now! :)

johnpoz

Let me know if you need a picture walk thru, bouncing ball sort of thing ;)

JesseGroenendaal

@johnpoz Up to now i don't need it, already created some certs earlier but the problem was that i was searching for a "better" solution then trusting it on every machine. You've made me think differently about this, im going to setup a GPO for the cert i already have and it will be solved! :) Thank you very much!

jimp

@jessegroenendaal said in SSL Certificates for Local IP address:

@jimp Thanks for the response! But are there post for doing this to an local ip without opening ports or linking it to an fqdn? I don't want to have my firewall open on the internet.

With DNS based updates it doesn't need to be open to the Internet and it doesn't need to have a public A record. You setup a host locally so that you can resolve, e.g. firewall.example.com, on your local network. The ACME package would hit a DNS server and add a TXT record for the ACME challenge for that domain (_acme-challenge.firewall.example.com) which gets removed at the end of the process.

That's how my whole lab is setup. No external/public access or public A records, but valid certs from the ACME package.

johnpoz

Does that method also allow for rfc1918 IP san entries? Or for a use of domain that is not valid on the public via tld, like local.lan, or single label domains that many users are found of pfsense.localdomain as example

If so will have to play with this. But then again not too many switches and other devices have support for ACME that I have seen. Sot he local CA still has multiple advantages IMO.

jimp

@johnpoz said in SSL Certificates for Local IP address:

Does that method also allow for rfc1918 IP san entries? Or for a use of domain that is not valid on the public via tld, like local.lan, or single label domains that many users are found of

No, it can't have IP address SANs and must have a valid domain that exists in public DNS. The hostname doesn't need to be public, but the domain has to be registered/have name servers.

If so will have to play with this. But then again not too many switches and other devices have support for ACME that I have seen. Sot he local CA still has multiple advantages IMO.

Yeah, for that kind of thing it could be a PITA to constantly update them with the ACME cert since it wouldn't be automated. Local CA does win out in that scenario.