I have used LetsEncrypt Win Simple to create certificate for my IIS and Exchange servers but now I want to create certificates for thing like my router, my ESXi servers, BlackBerry UEM, Etc. Win SImple just doesn’t work for things like that. How do I go about creating certificates of those items.
Do these servers have publicly resolveable addresses? If they use an internal naming scheme, you can’t obtain public CA certificates for them. You would need to create your own internal CA and install this CA’s root certificate on your local machines.
If these servers use publicly resolveable addresses, but are not accessible over the internet (or you can’t serve up specific files/access a shell/etc.) you will need to use another computer or a service like ZeroSSL to generate certificates using DNS challenges, and load these onto the servers in question manually, more frequently than the expiry period of every 90 days.
If it were me, and I was using publicly accessible names (and didn’t want to set up an internal CA for some reason), I’d set up a public-facing simple nginx server or something to serve challenge responses and automatically renew certificates. Installing new certificates will depend on the specific server in question.
you can obtain certificates for non public facing servers using three methods methods
These servers need to be FQDN that are allowed by a CA.
i.e.
blackberry.firecube.xyz - good
blackberry.firecube.local - bad
blackberry.local - bad
A) DNS Challenge
B) Load Balancer/Web Server to Rewrite
C) Use of CNAME records
@GibbyOH -
can you also explain exactly (more than one sentence) what you mean by the statement below
Don't assume that the conclusion you have reached is correct and explain how you reached that conclusion so people can give you options or correct you if you missed something
thing like my router, my ESXi servers, BlackBerry UEM, Etc. Win SImple just doesn't work
Andrei
Only if you ignore the first part of my sentence that you (mis)quoted ...
If they use an internal naming scheme, you can't obtain public CA certificates for them.
As for your other question, I believe I can answer that for you in one sentence. =] It is highly unlikely that Win Simple, which runs on Windows, will work on routers, ESXI servers, etc., which do not run on Windows.
hi @jared.m
apologies i did misquote so will edit that out
as for the second bit you can dump the certificate to a file system and then call other powershell scripts to install them on to routers etc hence the question about how the conclusion was reached
It is right that it’s not natively supported by letsencrypt-win-simple but they do have a scripting interface (or the underlying ACMESharp module does) to do this sort of work
Andrei
Using UEM as an example it has two urls. win2012uem.ad.domain.com and uem.domain.com. UEM uses Apache Tomcat for its web server and runs on Windows. I installed Win Simple on the server that has UEM installed. However it could not find the domains, which I expected. I tried to use option S but I keep getting an error because IIS is not installed on the server.
Currently I use a Cisco Small Business router and I use a Internal CA certificate for it but I plan on deploying the VPN service built into it meaning it will be publishing services externally. For end users that wouldn’t be an issue because their work machines would already trust our Internal CA root but partners and customers who will also be using the VPN service will not.
With ESXi I could probably do it but their are risk that I not comfortable with. So I would like to create the certs in a way that would let me dump the public and private key into a p12 and then uploading them to ESXi.
Edit:
I understand that Win SImple will not run on ESXi Server, but there are other option that could be configured to run on ESXi Servers.
hi @GibbyOH
Have you reviewed the maual? https://github.com/Lone-Coder/letsencrypt-win-simple/wiki/How-to-Run
A) You can obtain certs without IIS by using the manual command
B) You need to differentiate between an authenticator(passes the challenges) and an installer
C) Have a look at the scripting interface which will do what you want https://github.com/Lone-Coder/letsencrypt-win-simple/wiki/Install-Script
You can also have a look at ACME-Sharp which is a powershell library and gives you a greater flexibility on scripting
Using ACME-Sharp Library: https://github.com/ebekker/ACMESharp/wiki/Quick-Start
Good Guide: https://marc.durdin.net/2017/02/lets-encrypt-on-windows-redux/2
FAQ (Cover Renewals): https://github.com/ebekker/ACMESharp/wiki/FAQ
Overall what you are describing is not unfeasible but does require a bit of scripting
Andrei
Ahaw021,
Can you explain this a little more. Not quite sure what it is you are getting at here. I unfortunately been traveling quite a bit recently so I have not had a chance to sit down and really review the docs. I am still working on getting a better understanding of how Let's Encrypt processes work. I am use to working with services like Comodo, StartSSL, and Symantec for certificates as well as having a internal CA too. I tried ZeroSSL but for some reason couldn't get the DNS authorization to work for me. If I can get Let's Encrypt automated a little better able to create certificates which are dumped into a p12 file that I maybe in a better place.
Thanks
hi @GibbyOH
It’s help yourself really from this point.
Unfortunately I have a full plate and can’t provide deep level introductions/instructions on how to do what you require
Happy to answer any questions you have that are not fundamentals
Andrei
Not a Windows person, but the central idea with authenticator versus installer is that there’s two quite separate elements to this process.
The “authenticator” is about proving that you really control the names you’re requesting certificates for. With traditional CAs this was often a fairly manual process for smaller organisations. For example receiving an email and then filling out a CAPCHA. With Let’s Encrypt it would usually involve arranging to serve custom files from a web server or answering custom DNS requests, and thus a machine can do it.
The “installer” is in charge of making use of the certificate once it has been issued to you, often by installing it into a service. This too would be good to arrange to do automatically.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.