How are y’all managing internal network certificates?
At any point in time, I have between 2-10 services, often running on a network behind an nginx reverse proxy, with some variation in certificates, none ideal. Here’s what I’ve done in the past:
- setup a CLI CA using openssl
- somewhat works, but importing CAs into phones was a hassle.
- self sign single cert per service
- works, very kludgy, very easy
- expose http port only on lo interface for sensitive services (e.g. pihole admin), ssh local tunnel when needed
I see easy-RSA seems to be more user friendly these days, but haven’t tried it yet.
I’m tempted to try this setup for my local LAN facing (as exposed to tunnel only, such as pihole) services:
- Get letsencrypt cert for single public DNS domain (e.g. lan.mydomain.org)… not sure about wildcard cert.
- use letsencrypt on nginx reverse proxy, expose various services as suburls (e.g. lan.mydomain.org/nextcloud)
Curious what y’all do and if I’m missing anything basic.
I have no intention of exposing these outside my local network, and prefer as less client side changes as possible.
I went with the OpenSSL CA as cryptography has been a weakness of mine and I needed to tackle it. Glad I did, learned a lot throughout the process.
Importing certs is a bit of a pain at first but I just made my public root ca cert valid for 3 years (maybe 5 I can’t remember) and put that public cert in a file share accessible to all my home devices. From each device I go to the file share once, import the public root ca cert and done. It’s a one time per device pain so it’s manageable in my opinion.
Each service gets a 90 day cert signed by root ca and imported to nginx proxy manager to serve up for the service (wikijs.mydomain.io).
Anything externally exposed I use let’s encrypt for cert generation (within NPM) and internally I use the OpenSSL setup.
If you document your process and you’ve done it a few times, it’s gets quicker and easier.
You can self-host ACME server which lets you use certbot to do automatic renewals even for private, internal only certs. I don’t know if it would work with NPM. I plan to test that out at some point in the future but my current setup works & I’m not ready to break it for a maybe yet :P