Preset questions answered below.
Internally I have set up a chat application called Zulip server running an Ubuntu VM which has no external access.
Currently its default is to have a self signed certificates which seems to cause complaints on my browsers even if I trust the certificate in the client machine.
Since LetsEncrypt requires external access for validation (I believe?), that doesn’t seem like an option out of the box, and I’d rather not pay for a certificate for the internal hostname if possible.
Externally we have an AWS Windows server which we’ve been using LetsEncrypt (through the very easy to use https://github.com/PKISharp/win-acme) for a while and it’s been working well. We can also add DNS entries if we wish.
I’m able to set up a certificate for zulip.quantics.co.uk using the AWS machine. Could I then use this certificate locally (assuming when in the LAN the hostname zulip.quantics.co.uk will resolve to the local IP)? And is this allowed, or would it break a TOS?
It looks like Nginx uses SSL certificates in the form of .crt and .key, and when I look at the keys I have available from existing LetsEncrypt certificates I see the following.
ca-foo.quantics.co.uk-crt.der ca-foo.quantics.co.uk-crt.pem foo.quantics.co.uk.history.json foo.quantics.co.uk-all.pfx foo.quantics.co.uk-chain.pem foo.quantics.co.uk-crt.der foo.quantics.co.uk-crt.pem foo.quantics.co.uk-csr.pem foo.quantics.co.uk-gen-csr.json foo.quantics.co.uk-gen-key.json foo.quantics.co.uk-key.pem
And as you can see in the answers below, trying to convert say the .pfx to a .crt asks for a password which I’m not aware of.
My domain is: quantics.co.uk
I ran this command: openssl.exe pkcs12 -in foo.quantics.co.uk-all.pfx -clcerts -nokeys -out foo.quantics.co.uk-all.crt
It produced this output: Enter Import Password:
My web server is (include version): IIS (externally) / Nginx (internally)
The operating system my web server runs on is (include version): Windows (externally) / Ubuntu (internally)
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you’re using Certbot): N/A