Sharing wildcard cert internally



  • I have the ACME package configured and it appears to be working (domains hosted by Google Domains, DNS managed by Cloudflare).

    I am generating a wildcard cert (e.g. *.domain.com). This cert is working for my pfSense router so that now I can access it over HTTPS and it no longer gives me the warning that it is running a self-signed certificate.

    What I would like to do now is update some of my internal services to use this wildcard certificate. They are running on a separate server (most of them in FreeBSD iocage jails). Is the best method to do an SCP from the destination into pfSense to copy the cert locally? Or is there something more automated?



  • @RyanM said in Sharing wildcard cert internally:

    Or is there something more automated?

    It is possible to SSH into pfSense from 'where ever' using 'what ever' doing 'what ever'.

    Concrete example : I have a desktop PC executing a program that logs in, retrieves the config, and saves it on the PC every day - I found this program on this forum, I didn't make it myself.

    See the acme package (the manual => the script itself) for details how to retrieve cert details.

    Typically, the script you write for reach device should run ones a day.
    It should get the validity date/time of the cert being used on that device.
    Then it should do a TLS connection to pfSense, port 443. retrieve the cert details, extract the validity date/time.
    Compare the two, and if the latter is more recent, execute a "files copy" and restart locally the services that are using the newly installed cert.

    Btw : automating is only possible for those who know how it all 'works'. For those who don't or don't want to know : the manual way : exporting from pfSense and importing else where works also very well.
    Btw : I copy my acme/pfSense wildcard cert to a couple of local printers on my Syno diskstation every 60 days. Not really needed, I admit.


Log in to reply