SSL ACME Manager / Relay / Deployment

Question

I would like to ask if anyone is aware of a tool, which can obtain and manage certificates from an upstream instance (like Let's Encrypt via HTTP-01 or DNS-01) and make them available trough eg. local ACME. Furthermore I would wish I could add a deployment mechanism, to push the certificates to devices such as Printers or Switches, a hook script seems sufficient.

I am looking for this intermediate cartificate management as I ran into cases, where I want a hostname issued to multiple machines, e.g.

• Host A: hosta.intern. + service.intern.
• Host B: hostb.intern. + service.intern.

These domains are of cause insede the scope of let's say example.com, so the domain names themselfs are public and under my control. Just the servers aren't reachable from WAN.

While I could acchieve this by using DNS-01 validation, I'm not so sure every DNS provider offers the possibility to create such granulated API accounts.

Answer 1

It is not possible to use Let's Encrypt certificates for internally facing websites/services. Due to the nature of certificate trusts, you'll need to create a self-signed CA that is trusted by browsers, etc. within your LAN.

Additionally, there is no automation (at least that I'm aware of) that would deploy certificates to printers, switches, etc. Most of these are written internally by enterprises due for audit reasons, etc.

Keep in mind the scope of Let's Encrypt: to help the public internet become more secure through enforced SSL connections. What you're describing is outside that scope.