handling self signed certs in LAN

John Doe

Guru
Joined
Aug 16, 2011
Messages
635
hi folks,

since truenas is offering more and more services and browsers cyber security gets more and more advanced, I wanted to ask about a proper way to handle certificates.

So basically my need is, to have https active within my LAN.
Of course I can create on each service a certificate and register the CA on each device, which is quite annoying.

therefore I wanted to ask, if any better solution is used.

Something like lets encypt but only for LAN usage. you just register the CA once and all certificates will be handled by that single instance.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,457
The obvious solution would seem to just be to use Let's Encrypt. See:
 

rvassar

Guru
Joined
May 2, 2018
Messages
971
The obvious solution would seem to just be to use Let's Encrypt. See:

I think the problem is services on other hosts. Using Let's Encrypt gets problematic for hosts that can't pass any of the ACME challenge types.

One suggestion:

 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,457
Using Let's Encrypt gets problematic for hosts that can't pass any of the ACME challenge types.
With DNS validation, just about any host can pass validation. But that project looks pretty slick.
 

rvassar

Guru
Joined
May 2, 2018
Messages
971
With DNS validation, just about any host can pass validation.

That's probably mostly true, provided you have control of a domain. I haven't followed the DNS stuff that closely, I roll my own DNS for specific purposes, most of the how-to's involve adhering to some providers API. I should probably revisit it.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,457
most of the how-to's involve adhering to some providers API.
True, but any RFC2136-compliant DNS host should also work.
 

Dan Tudora

Patron
Joined
Jul 6, 2017
Messages
276
hello
if you not have a pFsense firewall installed can have one in a VM
and make your skill with that package/documentation/forum guide to solve problems (can generate CERTIFICATE for a list from text file)
can you do CERT Let's Encript for your ALL machine/calc in yours LAN
just read docs/howto and be pacient to undestood the process
success
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,457
One suggestion:
So after my bit about using Let's Encrypt, I took a closer look at that project--it seems pretty neat. I like that for around US$100, you get your own CA, complete with a hardware RNG and a HSM-lite to store the private keys. Of course, you need to install the CA root cert on any device you want to trust that CA, but that isn't a big problem. And any ACME client can get a cert from it, so it integrates pretty well with anything that was using Let's Encrypt previously. So I put it together, and I've been moving some of my LAN resources to get certs from it rather than from LE. Working great.

Still not sure how to work with hosts (like FreeNAS) that have their own software listening on port 80, but no doubt that can be solved as well.

I'm also intrigued by their writeup on SSH certificates, which has me playing with SSO/IAM solutions for my home LAN. Probably a bit excessive, but that characterizes a lot of what I do on my home network.
 
Top