So is it possible to generate certs from Lets Encrypt for things that arent just plain websites?
I need certificates for Fortigate Firewalls and a Ruckus virtualSmartZone and can find nothing about how one would do this.... any documentation?
Yes, it is possible. You will need to be able to prove control over the DNS name (or names) for which you want a certificate. This is a bit easier for web sites because some of the acceptable methods involve ports 80 and 443, and a traditional web server uses those ports anyway.
If the names you need certificates for could answer requests on port 80 and/or port 443 but currently don't you may be able to leverage popular tools aimed at web sites anyway to get certificates. If that's out of the question, you can prove control over the names via DNS entries.
The bias in favour of web sites isn't caused by Let's Encrypt, they're obliged to obey the CA/B Forum Baseline Requirements for trusted CAs, and those requirements explicitly call out things like ports 80 and 443.
Fortigate report that their new FortiOS 7.0.0 can arrange this for you out of the box:
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support
3 Likes
If you don't see the "System / Certificates" menu choice:
First choose: "System / Feature Visibility"
And turn on: "Certificates" [under Additional Features column]
1 Like
Alright so I'll be trying the Fortigate tomorrow in the lab.
Thanks!
Anyone with ideas for a Ruckus SmartZone controller?
1 Like
Hmm after examing today this doesnt look like what I need. This is for fortigates with a WAN facing FDQN such as a public website. Our sites do not have this. Our sites are campuses where users are seeing certificate errors (as expected) when accessing OUTbound to internet. I need to get rid of the certificate errors for users inside the campus.
HTTPS inspection?
1 Like
Sounds like HTTPS inspection indeed, which is a form of MitM attack which is just the thing TLS is trying to prevent..
2 Likes
Let's Encrypt is happy to give you certificates for names you control, regardless of whether these names represent a public website or any public service whatsoever.
However you can't have certificates for names that you don't control, whether that's names other people control or names which are specifically not available for anybody to control. Wouldn't be much point in having a Certificate Authority whose Certificates aren't Authoritative about anything, would it?
I think what you're trying to achieve here is to impersonate services with names you do control, but from another device as part of some "security" capability. If those services have names in the Internet's DNS hierarchy, even if the services are not accessible to the outside world, it would technically be possible to get certificates for those names from Let's Encrypt. You should ensure you have permission from whoever operates those servers before attempting this, and it may be a lot of bother to arrange it, I can't be at all sure Fortigate is even set up to permit such an arrangement, but that's not a fault with Let's Encrypt.
However if you're trying to impersonate services whose names you don't actually control, that can't work. For example Let's Encrypt won't help you impersonate Google, or Wells Fargo, or indeed my vanity site.
For general "interception" type arrangements, what is usual is that you need to arrange for all your users to accept that you get to snoop or modify everything they do online by trusting a private root CA under your control. FortiGate calls this "Fortinet_CA_SSL" by the looks of things. For employees it may be practical to simply make this a condition of employment, and provide them with laptops etc. that are pre-configured to trust you instead of, or as well as, the Web PKI of which Let's Encrypt is part. You say "campus" which could mean students, who are less likely to accept such snooping as a condition of network access. In either case this isn't something Let's Encrypt can or wants to help you achieve.
1 Like
I can't agree more.
An LE cert can't even be used to authorize HTTPS inspection.
Which circles back to my first (and only) question:
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.