# ACME/SSL

we now have our own letsencrypt-like service for internal certificates:

## howto trust the CA
```
security.pki.certificateFiles = [(pkgs.fetchurl {
 url = "http://ca.r/ca.crt"; # can be also downloaded from some other location like github/cgit
 sha256 = "sha256-qd3HYc/HaMGbrHDjTKgs4QbHTRcA//xxr+fu1FnKBBs=";
})]
```
for firefox/chromium the certificate needs to be added manually # TODO document this step

## get a certificate from CA (need to trust CA first)

```
services.nginx.virtualHosts."myservice.r" = {
  enableACME = true;
}
security.acme.certs."myservice.r".server = "https://ca.r/acme/acme/directory";
```