[cisco-voip] let's encrypt for local admin gui pages

[Lelio Fulgenzi]

Thanks for everyone's feedback! It's likely that I will revisit using privately signed certificates for non-public facing admin gui pages via our Microsoft AD base. As long as it's a Windows workstation signing into AD accessing the page, the certificate will be trusted without any warnings, etc. Again, this is just for non-public facing admin gui's so our team doesn't have to import private keys.

The hardest part was finding some decent instructions on how to do so. Apparently, when a private signed certificate is generated and granted it's available for download from the link presented during the process and there's no easy way to find an inventory of generated certificates!

Lelio


---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519-824-4120 Ext 56354
lelio at uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1


-----Original Message-----
From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Doug McIntyre
Sent: Wednesday, September 27, 2017 8:40 AM
To: voyp list, cisco-voip (cisco-voip at puck.nether.net)
Subject: Re: [cisco-voip] let's encrypt for local admin gui pages

On Wed, Sep 27, 2017 at 04:07:53PM +0800, Ki Wi wrote:
> technically it can be done but it's too troublesome. Without "auto" 
> update, you will have to go manual which is to create special DNS (TXT 
> record) entry for each URL during the renewal.


DNS authorization of Let's Encrypt can be done through automated methods. Especially with a client such as dehydrated and the use of dynamic DNS updates (through ddns methods of nsupdate, or through the API of your DNS provider).

Not sure how easily the SSL cert can be rotated on the appliance devices though.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip