Local Valid SSL Certificates

[Scenic3050]

Hi All,

I have been going in circles a bit trying to setup local valid SSL certificates for my internal services. I do not want anything exposed to the internet, this is just for local/internal usage eg. to get rid of warning messages in web browsers and improve security.

Ideally I would like this to be fully handled with OPNsense or its plugins. I am currently using Unbound for my DNS. I have seen various guides but no complete source for doing this entirely in OPNsense.

Can anyone advise me on how to set this up or point me to a suitable guide? I would like to use DNS01 with my Cloudflare domain name and a wildcard subdomain so it's easy to add new services as I go. I have the NGINX plugin installed in OPNsense but am open to alternative options (eg. Caddy plugin), I just need some help/guide to follow.

Thanks for your advice!

[cookiemonster]

OPN is not -core or plugins- something you can use to distribute certificates so you won't find guides.
And remember tragffic between endpoints between in the LAN will not go through the firewall.
The way for what you want with least admin is to use a wildcard cert I imagine.

[Scenic3050]

The wildcard certificate method sounds promising and a concept I have seen in other guides that aren’t geared towards the OPNsense NGINX plugin.

Are you able to point me in the right direction to a source to understand this better, if there are no guides as you say?

[cookiemonster]

First we need to be clear what you want to achieve.
You want each of your services _in your LAN, communicating amongst themselves_ to use https with certificates, right?
Then you want "something" like one of the OPN plugins to automate the renewals with DNS01 to cloudflare, right?
Something else?
p.s. remember you will not be able to add the CA to many of your endpoints so you won't have 100% coverage.

[Scenic3050]

That sounds about right, yes!
Actually, I am mostly just wanting to have valid certs for the admin/login pages of my services which currently I access via a web browser but have to click past the warnings about non valid SSL. For communications between servers I tend to use ssh which is reasonably secure as I understand, but am always open to new ideas and approaches!

[cookiemonster]

In that case you would need one of two off the top of my head:
a) purchase a multi domain aka SAN certificate like https://www.digicert.com/tls-ssl/multi-domain-ssl-certificates that you then need to configure on all your services. It can be free from letsencrypt too and you need to setup internally your first setup and renewals.
b) configure your services with your own Private Key Infrastructure which you then administer. You here not only have to distribute the certs but also the CA (your own) into devices, which is not always possible.
I suggest you read about PKI and then you'll have more specific questions that although not necessarily relevant to OPN, could help.