Using this guide you can create a Let´s Encrypt Certificate for your firewall device in a few minutes.
You would only need a Windows computer, a port forwarding on the internet gateway and a little bit of command line knowledge.
You can use any internet router for the port forwarding, but in my case I used the same USG to which we are going to upload the certificate later.
Basically you are going to start a web server on your Windows temporarily which is going to be used to communicate with Let´s Encrypt to create the certificate.
Topology:
4. Importing the certificate to your USG
1. Preparation
Download and install the latest version of the Certbot installer for Windows at Certbot.
Setup a port forwarding on your internet gateway for port 80 towards your Windows computer where you install Certbot. For a Zyxel firewall, please follow this guide: Port Forwarding USG
You can leave the port forwarding rule disabled until you start Certbot. Make sure to allow port 80 incoming on the Windows firewall.
2. Certbot on Windows
Open Powershell with administrator priviliges (feel free to provide your email without using --register-unsafely-without-email):
PS C:\WINDOWS\system32> certbot certonly --register-unsafely-without-email
Saving debug log to C:\Certbot\log\letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): domain.domain.de domain.domain.org
Requesting a certificate for domain.domain.de and domain.domain.org
Performing the following challenges:
http-01 challenge for domain.domain.de
http-01 challenge for domain.domain.org
Waiting for verification...
Cleaning up challenges
←[1m
IMPORTANT NOTES:
←[0m - Congratulations! Your certificate and chain have been saved at:
C:\Certbot\live\domain.domain.de\fullchain.pem
Your key file has been saved at:
C:\Certbot\live\domain.domain.de\privkey.pem
Your certificate will expire on 2021-07-01. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Afterwards you can disable the port forwarding on your USG and block port 80 on your Windows machine.
3. OpenSSL on Windows
The .pem format generated by Certbot can not be imported to USG!
Therefore we are "converting" it to .p12.
Download OpenSSL for Windows (there might be different ports of OpenSSL for Window, but the syntax should always be the same) and copy cert1.pem and privkey1.pem from C:\Certbot\archive\ directory into C:\Program Files\OpenSSL-Win64\bin.
Start Powershell in C:\Program Files\OpenSSL-Win64\bin with administrator priviliges or open Powershell as admin and use
cd 'C:\Program Files\OpenSSL-Win64\bin\'
to switch into the needed directory.
Use this command to generate .p12 with OpenSSL:
./openssl pkcs12 -export -out "C:\Program Files\OpenSSL-Win64\bin\usg.p12" -in "C:\Program Files\OpenSSL-Win64\bin\cert1.pem" -inkey "C:\Program Files\OpenSSL-Win64\bin\privkey1.pem"
Enter any password when using this command, you need it for importing into the USG later on again.
4. Importing the Certificate to your USG
Navigate to Configuration > Object > Certificate > My Certificates to import it using the password you defined earlier:
After importing head over to System > WWW and use the certificate as your "Server Certificate".
Comments
0 commentsPlease sign in to leave a comment.