10.5. Using an External Certificate Authority

There are many Certificate Authorities (abbreviated CA), which provide the creation of certificates as a service. These certificate authorities are already trusted by most browsers. This means that a certificate does not have to be installed on all clients before use.

Certificate authorities only sign certificates with official, externally accessible DNS names. It is therefore not possible to use a Certificate Authority for local DNS names (such as intra.net.lan) or IP addresses.

There is the choice of classic, commercial certification authorities where the request, verification and issuance of the certificate takes place via the provider's website and for which a small fee per year of validity is due.

Alternatively, the provider Let's Encrypt offers certificates that are issued and renewed fully automatically and free of charge using the ACME protocol. We recommend Let's Encrypt especially because of the easier handling and automatic renewal.

10.5.1. Certificates from Let's Encrypt

Proceed as follows to use a certificate from Let's Encrypt:

  1. Configure a DNS name for the external IP of the Intra2net system in an official domain that belongs to you (e.g. mail.meinedomain.de). This can normally be set up free of charge and promptly by the webspace provider who manages your own domain. If a dynamic IP is used, set up a dynamic DNS service instead, see Section 11.13, „DynDNS“.

  2. Enter the external DNS name in the menu Network > DNS > Settings as the computer name for connections from the Internet.

  3. An incoming HTTP connection is required to validate the certificate. Therefore select in the menu Network > Provider > Profiles : Firewall a firewall ruleset that allows incoming HTTP connections. HTTP connections are only accepted by the Intra2net system while a certificate validation is pending. Otherwise the port is closed.

  4. Check how the Intra2net system is connected to the Internet. Check in the menu Network > Provider > Profiles the type of the active provider. If it is a (DSL) dial-up line, everything is fine and you can proceed to the next step.

    If it is a provider of type with a router, then check if this router assigns an unchanged official IP to the Intra2net system or if it assigns an IP from a private address range via NAT. In the latter case a port forwarding for TCP port 80 (http) must be configured on the router to the IP of the Intra2net system.

  5. Create a new certificate signed by Let's Encrypt in the menu System > Key > Own keys. The verification and issuance of the certificate is fully automated.

  6. Switch the certificate used for Internet connections to the new certificate. You can select this in the menu System > Web interface > Security.

  7. You can test whether the new certificate has been issued and installed correctly in the menu System > Diagnosis > External HTTPS.

Certificates issued by Let's Encrypt are only valid for a few weeks and are automatically renewed by the Intra2net system before expiration. Therefore, the firewall settings and port forwarding described above must remain permanently configured.

10.5.2. Certificates from classic certification authorities

Proceed as follows to use a certificate from a classic certification authority:

  1. Configure a DNS name for the external IP of the Intra2net system on an official domain you own (e.g. mail.mydomain.com). This can normally be set up free of charge and promptly at the web space provider who manages your domain.

  2. Create a self-signed certificate on the Intra2net system and enter the external DNS name under Computer name.

  3. Select a Certificate Authority. Here is a short, summarized list of some providers (alphabetical): Comodo, DigiCert, GlobalSign, Go Daddy.

    Experience has shown that certificates are cheaper to obtain from resellers than directly from providers. Examples of such resellers are (alphabetical) Cheap SSL Shop and GoGetSSL.

  4. Purchase a certificate from the website of the selected Certificate Authority or reseller . A simple, domain-validated SSL certificate is sufficient for a single domain or website. Extended validation (EV), organization validated certificates or wildcard certificates are unlikely to be required. If you have different server types to choose from when ordering, choose Apache (mod_ssl).

  5. As the certificate is issued, the Certificate Authority will ask for a Certificate Request (or CSR). These can be exported from the Intra2net system using the menu System > Keys > Own Keys : CA . Make sure that you do not allow the certificate request to be generated by the Certificate Authority or dynamically in your web browser, but rather to upload the certificate request generated by the Intra2net system to the Certificate Authority's system.

  6. The Certificate Authority will provide 2 items: a certificate and a Certificate Chain, CA bundle or Intermediate Certificate. Import both into the Intra2net system under the menu System > Keys > Own keys : CA.

  7. Switch the certificate used for Internet connections to the new certificate. You can select this in the menu System > Web interface > Security.

  8. You can test whether the new certificate has been issued and installed correctly in the menu System > Diagnosis > External HTTPS.