SSL Certificates for local domain?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

nitrobass24

Moderator
Dec 26, 2010
1,087
131
63
TX
Yes, but they are still not offering local domain certificates. I guess theoretically you could use a public domain internally though.
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
So LE wildcard certs are delayed, but while looking into that I realized that its possible already to add a total of 100 hosts to a single certificate which should be sufficient for most soho networks.
The added bonus is that the regular Certificate does not need DNS challenge which makes automation much simpler for me (as I cant automatically adjust the DNS record).

So far so good, but now when mulling over the process I realized that the major issue is not getting a certificate but instead to deploy it to a variety of different boxes every 90 days. If I'd be hosting a lot of my own webpages then that would be simply done using OS automation, but most of my pages are embedded.

IPMI
UPS
ConsoleServer
Web managed PDU
Switches
VMWare Vsphere
Thinclients

Instances installed on a box or with an OS will be easier (Horizon, Synology,Plex, Ubiquiti Console, ESX)

Also happy to gather links to guides/ideas that might give a start

VCSA: vCenter (VCSA) and using Let's Encrypt for SSL Certificates
Switches (Netgear) TFTP Based option in Gui, likely triggerable via SSH
IPMI - maybe via Redfish API
/redfish/v1/UpdateService/SSL (View current SSL certification information)
/redfish/v1/UpdateService/SSL/Actions/SSL.Upload (Upload new SSL certification file)
Edit: Redfish needs OOB license as does SUM which would be the alternative according to SM support

Any ideas on how to automate deployment to the various boxes?
Anything that is accessible via console might be possible to script via ssh-ing in and replacing the files I guess...



Edit: Ah not so easy; web based challenge actually tries to access all of the hosts which are o/c internal hostnames and not really web-accessible ones
Edit2: Ok, fixed that with a wildcard forward to my webHost. Still annoying that this needs to be done for each Hostname... so one advantage for wildcard certificate...
 
Last edited:

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
too lazy to import the CA into each client.
Also didn't expect that much patchwork was needed to be honest, always thought the 'obtaining the Cert' part was the most annoying but it just might not be:p
 

_alex

Active Member
Jan 28, 2016
866
97
28
Bavaria / Germany
LE is fine as long as renewal can be automated and the hosts can be public accessible. with renewal every 3 months a private ca and longer lifetime for the certs is maybe less headache.

btw, i could arrange a dns that is scriptable/has a Rest-API for wildcards .. and wildcards are available via the LE sandbox/testing env without restrictions.
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
well thats why I was looking into automation options ;)

and that might be interesting, thanks:)
will try automation with domain alternative name based certs for now and if that works out then it might be good option:)
 

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,394
511
113
If importing a local CA into the client is the bit you're worried about, the good news is that it's a hell of a lot easier to automate that than it is to automate creating and importing LE certificates into all of the various bits of kit you've got... importing into the windows cert store is easily done with a GPO or certutil, on debian you can just dump them into /usr/local/share/ca-certificates and run update-ca-certificates, importing into firefox/palemoon is probably the hardest as you need to use a third-party certutil from the NSS project but it can still be reduced to a one-line command by pointing this at the dir the cert8.db file sits in;
Code:
certutil -A -n "my cert nickname" -t "CT,C,C" -i /path/to/CAcert.crt -d /path/to/users/profile/
Assuming you're happy with a 10yr lifespan for your CA, you'd only have to do this once for every cert store you manage (typically just the OS and maybe browser will be all anyone needs to touch) and it's a fair doddle to do.

As long as you're not afraid of the command line, setting up your own CA with openssl costs nothing and shouldn't take any longer than 10mins. Minting a 5yr cert from your own CA shouldn't take any longer than 5mins either.
 

NashBrydges

Member
Apr 30, 2015
86
24
8
57
@Rand__ Why not setup a reverse proxy? Something like Nginx could handle all of your cert needs to however many domains you need. If the backend servers are all on your network, that makes it super simple. Nginx handles acquisition and renewal and renewals are fully automated with a simple cron job.
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
Not sure how that would work with an IPMI interface for example? ;)
Obtaining the certs is one part and deploying to the target boxes the other (apparently more trickier) one ...

@EffrafaxOfWug Hm yeah. Its likely way less clients than devices ...

Still makes me wonder how thats supposed to work in large companies... proprietary tools for the masses & risk acceptance for the few I suppose if I look at the one where I am at atm
 

NashBrydges

Member
Apr 30, 2015
86
24
8
57
That's the thing, you don't have to deploy to target boxes. Those are just webservers running behind the proxy.

I have Nginx running as proxy on my network and have 15-20 different web facing sites behind it. When someone requests access to my Nextcloud box via the assigned domain name, SSL is handled by Nginx and the backend server does not need the certs installed because the proxy handles all of that. Because everything is on my network, proxy handles SSL and back end communication remains standard http. The browser determines it's SSL status from the Nginx handshake and encrypts communication between browser and Nginx.
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
ah so you dont run https in the backend...
ah I guess i have to think about need and want and effort a bit;)
 

NashBrydges

Member
Apr 30, 2015
86
24
8
57
Correct, no https needed on the backend since all of that is handled by the proxy. All renewals are completely automated.
 

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,394
511
113
@EffrafaxOfWug Hm yeah. Its likely way less clients than devices ...

Still makes me wonder how thats supposed to work in large companies... proprietary tools for the masses & risk acceptance for the few I suppose if I look at the one where I am at atm
I work in A Large Company (>25,000 users), the vast majority of which is catered for by using group policy to distribute the CA certs (we have about 8 or 9 CAs plus 10 or 12 sub-CAs) since 98% of our estate uses windows GPO, 5% uses some custom scripting into the OS cert store (mostly our linux kit) and 12% goes into app-specific cert stores by way of either custom scripting or manual imports (depending on the politics involved)... but even all that proprietary stuff can be dodged fairly easily. I use a samba4 AD DC at home for my three windows clients (all domain-joined), but seriously the hard part is setting up a CA, and it's really not that hard at all. Once you've actually got the CA and the certs, it's basically just a matter of figuring out the one-time commands you'll need to communicate as such.

If nothing else, rolling your own CA will give you nerd creds as well as an indication of how easy, overpriced and overcomplicated most SSL services are ;)

Never saw the point, especially in the added complexity, involving a third-party CA in the whole shebang. A reverse proxy would indeed work technically, but in that scenario you're still usually stuck with un-encrypted traffic between the proxy and the destination server... (and if you're not, what's the point of the reverse proxy?) and IMHO that still just as much work as creating your own CA.
 
  • Like
Reactions: _alex

_alex

Active Member
Jan 28, 2016
866
97
28
Bavaria / Germany
haproxy can also do this, and you could run https / ssl on the backend and simply trust everything from haproxy to the backends.
but still i would just setup a private ca for lowest complexity.
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
It ails me that something like this which should be basic functionality is still so complicated (the deployment part) :/
I mean everything I am trying to use is for business and not home use and still its manual effort.

Ah well. Enough complaining. Looks like the local CA and one time deployment is the way to go.
 

laserpaddy

Active Member
Jul 17, 2017
197
61
28
out there
When big companies realize that 99% of all systems are home users who have thousands of dollars to protect this will be resolved.
Every home network is a domain, but there isn't a good straight forward solution , I have thought of doing a kickstarted to solve this, but I am out of my depth on that as I was a project manager and engineering is in laser optical systems, so all of my networking experience is self taught...but there's a real market out there and a real need, but no one wants to create and market a solution that's cost effective.
I often thought that there is a way to piece meal it all together, but as this post shows there isnt....but what I do see and know for a fact that WE could put a solution together with all of the awesome people on this site....
For fun I checked out a Microsoft business solution for my home domain and it was 15k in licenses etc...

Sent from my SM-G955U using Tapatalk
 

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,394
511
113
I often thought that there is a way to piece meal it all together, but as this post shows there isnt....
It's waaaay less hard than you think. Distros like pfsense already provides this functionality out of the box, or it's a doddle to do yourself.

A default install of openssl should include an opsnssl.cnf which you can copy off somewhere and configure for your own CA (by default it's called demoCA). Just plonk the customised file in a dir somewhere and run some commands resembling the following and you've got yourself a home CA:
Code:
openssl req -config mycustomCA.openssl.cnf -new -x509 -extensions v3_ca -keyout private/mycustomCA.key -out certs/mycustomCACA.crt -days 3650
Once you've got the CSRs from your client devices you can mint like so:
Code:
openssl ca -config mycustomCA.openssl.cnf -policy policy_anything -days 730 -out certs/somehost.homedomain.local.crt -infiles requests/somehost.homedomain.local.csr
 
  • Like
Reactions: laserpaddy

laserpaddy

Active Member
Jul 17, 2017
197
61
28
out there
Thanks for the reply to my ramblings...

I am setting up a proxmox system and I seem to be getting the hang of it..ie sorting out all of the solutions and will be starting a new thread with some ueations...

Why don't I see more proxmox posts? Or a separate forum as it appears to be a sweet solution for home se tips etc...

Sent from my SM-G955U using Tapatalk