Local Valid SSL Certificates

Started by Scenic3050, August 22, 2024, 04:35:31 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 22, 2024, 04:35:31 PM
Hi All,

I have been going in circles a bit trying to setup local valid SSL certificates for my internal services. I do not want anything exposed to the internet, this is just for local/internal usage eg. to get rid of warning messages in web browsers and improve security.

Ideally I would like this to be fully handled with OPNsense or its plugins. I am currently using Unbound for my DNS. I have seen various guides but no complete source for doing this entirely in OPNsense.

Can anyone advise me on how to set this up or point me to a suitable guide? I would like to use DNS01 with my Cloudflare domain name and a wildcard subdomain so it's easy to add new services as I go. I have the NGINX plugin installed in OPNsense but am open to alternative options (eg. Caddy plugin), I just need some help/guide to follow.

Thanks for your advice!
August 22, 2024, 04:48:24 PM #1
OPN is not -core or plugins- something you can use to distribute certificates so you won't find guides.
And remember tragffic between endpoints between in the LAN will not go through the firewall.
The way for what you want with least admin is to use a wildcard cert I imagine.
August 23, 2024, 01:06:02 AM #2
The wildcard certificate method sounds promising and a concept I have seen in other guides that aren't geared towards the OPNsense NGINX plugin.

Are you able to point me in the right direction to a source to understand this better, if there are no guides as you say?
August 23, 2024, 11:01:56 AM #3
First we need to be clear what you want to achieve.
You want each of your services _in your LAN, communicating amongst themselves_ to use https with certificates, right?
Then you want "something" like one of the OPN plugins to automate the renewals with DNS01 to cloudflare, right?
Something else?
p.s. remember you will not be able to add the CA to many of your endpoints so you won't have 100% coverage.
August 24, 2024, 08:06:04 AM #4
That sounds about right, yes!
Actually, I am mostly just wanting to have valid certs for the admin/login pages of my services which currently I access via a web browser but have to click past the warnings about non valid SSL. For communications between servers I tend to use ssh which is reasonably secure as I understand, but am always open to new ideas and approaches!
August 27, 2024, 10:30:13 PM #5
In that case you would need one of two off the top of my head:
a) purchase a multi domain aka SAN certificate like https://www.digicert.com/tls-ssl/multi-domain-ssl-certificates that you then need to configure on all your services. It can be free from letsencrypt too and you need to setup internally your first setup and renewals.
b) configure your services with your own Private Key Infrastructure which you then administer. You here not only have to distribute the certs but also the CA (your own) into devices, which is not always possible.
I suggest you read about PKI and then you'll have more specific questions that although not necessarily relevant to OPN, could help.
Print
Go Up Pages1
User actions