Certificate for Network Security Devices/Firewalls

Hello All,

I did search through the entire forum and found one post that was kind of applicable, not not entirely. I’ll give you all the TLDR:

-I own a domain through Google Domains;
-I have an A-Record on the Google Domains dashboard that redirects a subdomain to my firewall’s outside IP address;
-I have servers that live behind the firewall that should be able to run the ACME application (might need assistance with how to do this on either a windows or Debian linux box).

Given that my perimeter firewall is not a server that can run the ACME app, is it possible to run it on a server behind it and feed the CSR (certificate signing request) I generate on the firewall using a subdomain of the google domain I own via the server instead of the firewall itself? If not, are there other options available, since the firewall itself cannot upload the CSR to LetsEncrypt?

Question 2: How do I verify I own the domain if it has been purchased with something like Google Domains or GoDaddy?

Thanks for any help in advance!

hi @marugby123

A) Yes you can use your own CSRs with Certbot (the official clients). Other clients support user created CSRs as well.

You can review the range of clients here: https://letsencrypt.org/docs/client-options/

Most use cases don’t run the app on the firewall for various reasons.

There are 3 ways of verifying a domain

HTTP Challenge - upload a file to the root of your webserver
TLS Challenge - create a SSL Binding with a Self Signed Certificate
DNS Challenge - Create a TXT record in your DNS server


Is it some actual appliance? For example, this is how Cisco ASA can be set up with LE cert using ZeroSSL: https://ip-life.net/cisco-asa-install-ssl-cert/

The device this would be installed on is a Fortigate. It does not offer the ability to use ACME (only SCEP). Looking into this further, I do not believe without a lot of struggle that this will be possible with LE.

If you can allow a web server behind the firewall to listen on port 80, you can use the HTTP-01 challenge (e.g. --webroot in Certbot). Then you can copy the certificate and private key onto the firewall. It might be annoying to have to repeat this every 90 days, though.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.