Possibility to run a private LE authority onsite?


I absolutely love the work you’re doing here - it’s really enabled the web to go all-in on TLS.

In our organisation, however, we have a number of internal-only domains for which we’re currently stuck on a traditional PKI infrastructure component; I was wondering wether it is somehow possible to run an LE authority internally, so we can benefit from the same convenience in adminstration for those domains that aren’t externally available for verification?

Thx for any info you can give me :slight_smile:


Boulder is custom built for Let’s Encrypt and is intended only to support the Web PKI and the CA/Browser forum’s baseline requirements. In our experience often Boulder is not the right fit for organizations that are evaluating it for production usage. In most cases a centrally managed PKI that doesn’t require domain-authorization with ACME is a better choice. For this environment we recommend evaluating cfssl or a project other than Boulder.

We offer a brief deployment and implementation guide that describes some of the required work and security considerations involved in using Boulder in a production environment. As-is the docker based Boulder development environment is not suitable for production usage . It uses private key material that is publicly available, exposes debug ports and is brittle to component failure.

While we are supportive of other organization’s deploying Boulder in a production setting we prioritize support and development work that favors Let’s Encrypt’s mission. This means we may not be able to provide timely support or accept pull-requests that deviate significantly from our first line goals. If you’ve thoroughly evaluated the alternatives and Boulder is definitely the best fit we’re happy to answer questions to the best of our ability.


You may want to investigate smallstep or minica instead of running the full boulder stack.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.