Hello, I have been able to install AA proxy on PFS and use acme to create keys and successfully create certificates in both staging and production in association with my domain being hosted by Cloudflare and using a wild card for my domain
What I’m having troubles accomplishing is now that I have AJ proxy set up with the appropriate certificates or I’m lost as how to get the certificates imported into my devices such as my NAA printer via our servers and such so that I can use them all the devices have just the default SSL certificates that come with them that don’t give me any type of local encryption level on my internal network
Pictures provided or my printer and NA asking for certificate information to be imported
If this is the correct to get this working, please let me know any direction would be very helpful. Thank you so much.
This may be very challenging to automate if the other devices only have a web interface, because you might have to write custom scripts that upload new certificates and keys through each web interface. (Bear in mind that Let's Encrypt certificates are only valid for 90 days and are normally replaced every 60 days.)
The best case would be if some or all of these devices had documented APIs to remotely import new certificates and keys, which could then be invoked by a script.
Here's some information that looks very relevant to you:
The thing is that in this case the destination device for deploying copies of the certificate data is (assumed to be) scriptable over SSH. This is likely not the case for things like a printer, so you'd have to find an alternative for that.
Almost all of these web interfaces assume a manual workflow (in which a human being periodically manually replaces the certificate), which may have been common when paid certificates could last for years at a time. This might not mesh very well with Let's Encrypt's approach which recommends and usually assumes that you can (somehow) make an automated deployment workflow.
We can try to help you figure out the pfSense side, but I'd say you'll have to find some way to make each intended target device (in some sense) scriptable or programmatically updatable/configurable in order for this to work the way you want!
A different question to ponder is: which devices are meant to consume these certificates in order to directly make encrypted connections to all of your devices? If it's a single device that consumes them, or a few devices that are all under your control, you might not have a need to use a publicly-trusted certificate for this purpose. In that case, you could probably use an internal CA (explicitly trusted by your own devices but not by the general public) to issue yourself very long-lived certificates for encryption on your internal network, and reserve the Let's Encrypt certificates for directly public-facing services (if any).
I don't know enough about your use case and deployment model to know offhand whether this is potentially relevant to you.
(Let's Encrypt certificates are not "more secure" than certificates you make yourself, in any mathematical or technical sense; they're just publicly trusted because Let's Encrypt promises to follow various careful procedures to confirm that the content of every certificate is correct, and so can be trusted by unrelated parties. Certificates you make yourself wouldn't be publicly-trusted this way because the general public doesn't currently have enough reason to assume that everything you ever say in a certificate was carefully confirmed to be right. But if you trust yourself to issue certificates that you think are correct, for your own services, then you can have devices that you control accept such certificates, with absolutely no reduction in security.)
Thank you so very much that explains so much to me why I was having so much trouble.
You hit the nail on the head. These devices are on my network and are not public facing so I can use a certificate that I create because I do trust myself because I’m the only one using my network. Do you have any suggestions on how I go about doing that simply easily and then using those certificates with a proxy on PFS, I know PFS has certificate management capabilities and I can create a route and intermediate certificate, but I still have some learning to do about the public and private key parts where they generated and where they belong when I create certificates for the devices sign the essay or import certificate
The information you provided was incredibly helpful and nailed it on the head and then gave me a lot of background. I can’t thank you enough thank you for taking the time to respond..
