Certificate Authorities
Contents
Background
Your server provides its own Root Certificate Authority (Root CA) and uses it to issues SSL/TLS certificates. Devices that have downloaded and trusted your server's Root CA can access these service interfaces over encrypted, HTTPS connections.
Use Case
If you want to host service interfaces on the public Internet without requiring visitors to download and trust your server's Root CA, you will need to obtain certificates from a 3rd-party Certificate Authority that is already trusted by their devices.
3rd-party Certificate Authorities only issue certificates for clearnet (.com, .org, etc) domains. They do not issue certificates for IP addresses, Local (.local) domains, or Tor (.onion) domains. Your server's Root CA will always be used to issue certificates for these types of addresses.
Adding a Certificate Authority
StartOS uses the Automatic Certificate Management Environment (ACME) protocol to obtain SSL/TLS certificates from 3rd-party Certificate Authorities, allowing visitors to access your domains over encrypted, HTTPS connections.
-
Navigate to
System > Certificate Authoritiesand click "Add". -
Select a Certificate Authority to add. StartOS has built-in support for
Let's EncryptandLet's Encrypt (Staging). Advanced users may add a custom ACME provider.
Let's Encryptshould only be used for production. If you use it frequently for testing, your IP address may get rate-limited, preventing you from obtaining certificates.Let's Encrypt (Staging)should only be used for testing.
- Provide a contact email address. This is required for the Certificate Authority to generate a certificate.