Getting/Using/Managing SSL certificates for internal network

infernus · September 18, 2020, 1:19am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: luminous,ops

I ran this command: n/a

It produced this output: n/a

My web server is (include version): n/a

The operating system my web server runs on is (include version): n/a

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine: no

I’m using a control panel to manage my site: no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): n/a

Most of these i responded n/a as i’m just getting started, and seek guidance getting on the right path.

Currently, my internal network consists of 36 devices, connected either by gigabit ethernet, and/or 2.4ghz wifi…

Of these devices, I use web interfaces to manage 8 devices. This is my primary concern. From the web searches, tutorials, readings I’ve done to-date, my understanding is i need to generate a wildcard domain certificate for the domain, then an individual device certificate for each connection. My experimentation thus far with OpenSSL have not as yet produced any favorable results. The SSL information provided by one of the device manufacturer hinged upon using one of their cloud solutions, which I was very much not inclined to resort to.

Long story short, I want to encrypt my interactions with those 8 devices, and likely more in the future. How should I proceed?

Thanks in advance.

_az · September 18, 2020, 1:36am

If it’s a question of managing devices in a secure way in an internal environment, maybe a private PKI is your best choice.

I did something similar not so long to setup mutual TLS between a number of devices on a local network.

I found https://smallstep.com/docs/cli/certificate/create/ to be helpful. The tool allowed me to create a root certificate, which in turn signed leaf certificates for each device on the network. They have plenty of example commands on that page to do what you need.

Of course, the certificates won’t be trusted unless you manually trust the root you create in your browser. That’s the downside.

The upsides: you can give the certificates a much longer lifetimes than what’s possible with Let’s Encrypt. No renewal troubles. No need to do any domain validation. A much friendlier interface than messing around with OpenSSL.

schoen · September 18, 2020, 1:37am

Hi @infernus,

Let’s Encrypt only issues publicly-trusted certificates, and those can only be issued to people who’ve registered public domain names in the global DNS. Your internal name can’t be used in Let’s Encrypt certificates.

Let’s Encrypt certificates can be used on machines that aren’t publicly accessible, but they still need to use names inside of a publicly registered domain, in order to avoid any confusion or ambiguity when devices move from one network to another.

As @_az mentions, you might be better off creating your own CA and then adding trust to it for your machines, with the result that you get non-publicly-trusted certificates (but they don’t have to be publicly trusted if nobody outside of your network is consuming them). If you want to continue with Let’s Encrypt, you’ll need to register a domain name.

infernus · September 18, 2020, 1:50am

Thx guys;
@schoen that’s sort of what I was thinking, but thank you for the confirmation.
@_az i am now reading through their info; it does seem to present a better option, thank you

webprofusion · September 18, 2020, 8:43am

Assuming you have your own domain you can use any tool (such as certbot or even https://certifytheweb.com !) to generate a wildcard (or multiple SAN) cert for that domain (or a subdomain like *.home/domain.com) then just distribute that certificate amongst your devices (converting it, uploading it or copying it as required). Domains cost a few dollars per year depending on what the tld is, and because they are in the public DNS you can use Let’s Encrypt to acquire a trusted certificate.

Certify in particular lets you setup automated Deployment Tasks such as converting and copying the cert to other network devices over sftp, UNC etc or to run your own scripts to handle the certs. Different services require certs in different formats with different files (for instance some need a separate file for the leaf cert, intermediates, root etc) but you can do it all from one single source wildcard cert (or you can create individual certs for different services). Each service often then needs to know what it’s supposed to be called so that the cert domain matches the service (e.g. mail.home.domain.com or plex.home.domain.com) then when you access the service the cert domain will match the request and the browser will trust it.

You can alternatively run your own home CA with something like smallstep (and use ACME clients to renew the certs), but you need to add the generated root CA cert to things to get it all to be trusted.

system · October 18, 2020, 8:43am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.