Hello. Is it possible to run a private instance of letsencrypt, maybe just for testing purposes within an isolated internal network?
I see a lot of questions about issuing certificates for private domains and networks which I understand is not and shouldn't be possible. But I didn't see information whether it's possible to run your own private letsencrypt service.
There are a few acme servers that allow you to run your own private ca. I think even Caddy includes it (I have never used that functionality, tho.)
Let's Encrypt uses their own developed CA software package called "Boulder", which is open source, but for example they do not recommend running their Boulder Docker images in production as is. And it's a fairly complicated piece of software if you ask me 
In addition to Pebble (intended for CI testing only), there's a few corporate / private PKI solutions for ACME.
A few I know of include smallstep (corporate PKI), Hashicorp Vault. Enable ACME with PKI secrets engine | Vault | HashiCorp Developer, FreeIPA ACME — FreeIPA documentation
I wouldn't advise running Boulder: It is tailored specifically to Let's Encrypt (though we aren't the only CA using it) and makes no concessions for usecases of ours as a public CA.
It depends on your use-case which direction you want to go.
As well a Smallstep Step CA and Hashicorp Vault you can also run an ACME server layer against a range of existing private cert services: GitHub - grindsa/acme2certifier: library implementing ACME server functionality
There are also services like EJBCA Enterprise | PKI by Keyfactor which include ACME (but not in the community edition).
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.