SSL Certificates - Inside and Outside

[spetrillo]

Hello all,

I have a public domain that I would like to generate a certificate for and apply on my OPNsense firewall. Right now my firewall is named with the private domain fqdn. Is there a way to protect both the private and public domain names or do I just worry about the public? I would assume my firewall fqdn will have to change to the public fqdn, so the certificate would then be in use?

Thanks,
Steve

[netnut]

It depends what you want to achieve, your OPNsense firewall (server) runs different programs (services). Although your firewall (server) does have a hostname, your certificate is used for these services.

The first _service_ your server _service_ is the Web GUI and SSH. The latter has it own way dealing with certificates (ssh keys) and is not using X509 certificates like the Web GUI. If you like to use your certificate for the Web GUI, yes it makes sense to rename the server (OPNsense firewall) to that particular fqdn. That's just for simplicity and clarity, because certificate validation doesn't care what the local hostname is, it checks 3 things:

1. Is the certificate valid ( Date from/to )
2. Do I trust the Root CA that signed the certificate
3. Is there a valid DNS record for the FQDN of the certificate (CN / SAN).

So if you have a (valid) certificate opnsense.domain.tld, a dns record that points to 1.2.3.4 and your OPNsense is listening to 1.2.3.4 your good to go, even if the local hostname of your box is pfsense.domain.tld. But again, it makes sense to match them, but not technically required.

So for inside and outside with the SAME certificate, having (split) DNS is probably the most simple one. So a DNS zone serving the internet and the same zone in a private controlled DNS infrastructure to serve the internal requests. The same can be done for X509 certificates, I only use public certificates on services exposed to the internet, for all internal stuff there's a private DNS and private X509 PKI.