Skip to content
LEF LEF Docs
GitHubLinkedIn

Certificate authority (CA)

Overview

Section titled “Overview”

LEF uses an internal CA to issue and trust certificates for internal-only hostnames and private services.

  • Windows servers: certificates are issued via Active Directory Certificate Services (AD CS).
  • Web servers and DB hosts: certificates are issued manually from the LEF Root CA (see the runbook below).

Entry points

Section titled “Entry points”

There is no canonical “CA UI” entrypoint. Issuance happens via:

  • AD CS enrollment (Windows), or
  • manual OpenSSL issuance (LEF Root CA)

Legacy (being decommissioned):

Where it runs

Section titled “Where it runs”
  • LEF Root CA: file-based CA directory (not an HTTP service).
  • AD CS: Windows Server role.

Operational notes

Section titled “Operational notes”

Known risks / failure modes

Section titled “Known risks / failure modes”
  • Trust not installed on clients → internal TLS fails.
  • Wrong issuer used for public hostnames → browsers reject the cert.
  • Expired internal certificates → widespread TLS errors across internal tools and services.
Section titled “Related”
Infra services CA runbook SSL certificates runbook Remote Desktop SSL