Is Cert Manager suitable for the job of handling internal CA?

  • We have a HA pfsense setup for our servers and I wonder if the Cert Manager is suitable for being internal CA and signing certs for intranet websites, tls client certificates etc?

    I know I can do it with openssl but it would be nice to have some kind of overview of what certs are in circulation, when they expire etc.

    So far I've only used the Cert Manager for OpenVPN which worked fine. But that is why I'm wondering if it also can handle whatever is needed for every other kind of cert or format commonly in use.

    I'd also like to leverage the HA we already have on our two pfsense servers.

  • @pete-s
    I used it for a cert for pfSense and 2 servers on my home LAN to enable HTTPS, as well as OpenVPN . I think 2.5 is the first version that can renew a cert, though.

  • LAYER 8 Global Moderator

    I have been using it as my CA for years and years.. Any certs I need internally I just create with the pfsense CA. Switches, Nas, unifi controller, printer, pretty much anything that has a https gui..

    Good thing is my certs are prob good for long time still, even with browsers changing to very short certs.. Most of my certs are years old and still have like 5+ years left on them since made them 10 year.. And they are grandfathered in on browsers ;)

    So yeah I would say its more than capable of handling your certs needs.. Unless your talking 100's or thousands of certs it pretty much is full rounded in what you can do from the gui.

  • @johnpoz @provels

    Thanks, that sounds good!

    The docs only really has one page of info on the cert manager.

    So I just wanted to make sure it has the features needed instead of trying to do something with it that it wasn't made for.

  • Found that there's also a pfSense hangout video and slides available specifically on the cert manager. Might be useful if you end up in this thread.

    Youtube Video