Tuesday, 23 June 2020

Lets Encrypt certificates for devices on private networks

Here's the process for creating a Let's Encrypt C.509 certificate for devices on private networks:

You will need:
  • Access to your DNS server to create TXT DNS records
  • Windows machine
  • PuttyGen installed
  • choco installed
  • win-acme installed with:
    • choco -y install win-acme
  • openssh installed with:
    • choco -y install openssh
  1. Create two identical files called create.bat and delete.bat with the following contents:
    • echo %1 %2 %3
  2. Create another file called sign.bat with the following contents:
    1. wacs --target csr --csrfile .\csr.txt --pkfile .\rsa4096.private.key --validationmode dns-01 --validation script --dnscreatescript .\create.bat --dnsdeletescript .\delete.bat --store pemfiles --pemfilespath .
  3. Generate an RSA 4096 Private key using PuTTYGen or OpenSSH called rsa4096.private.key
  4. Run the batch file
  5. While the ACME script is retrying, manually create the TXT DNS record for _acme-<DOMAIN NAME> with the value provided in the script output/
  6. If needs be, while the script is retrying, flush the DNS cache with:
    • ipconfig /flushdns
  7. Delete the TXT record when done
  8. The PEM file ending .crt.pem contains your X.509 certificate.