Using my own CA?

harrisonclassicboats.com.au

Hello, in my home lab I have various webservers, pfsense firewall, requirement for user certificates.

What would be best practice here using normal certs of wildcard certs?

Option 1. Use my web proxy with multiple virtual servers and certbot to manage individual server certs. But what about user certs?

Option 2. Somehow use my own CA ( I have used XCA ) to leverage the LetsEncrypt certificate so I can generate my own certs? Is this possible.

Thanks

David

What are user certificates?

Any relation to Client certificate - Wikipedia?

yes sorry, a client certificate. For instance to use with a user record in the pfSense firewall

I'd say the simplest option is to use DNS validation (instead of http) so that way you can get individual certificates for anything you give a name to in your domain's DNS, or you can get a wildcard certificate and distribute it (or get multiple certs, but rate limits apply).

Most ACME tools let you script certificate deployment for custom distribution to other services/machines etc. For instance the app I develop https://certifytheweb.com has deployment tasks for copying via SSH, UNC etc, scripting (either local powershell or remote bash etc).

User certs (i.e.client certificates) are out of scope for Let's Encrypt (and ACME) and you generally need to run your own CA (see step-ca open source server — Smallstep for instance). If you run your own CA you need to distribute the root certificate to all your machines so they trust your CA, and nothing will be publicly trusted.