Notes for SSL and certificates
Useful notes and commands to use when dealing with SSL certificates - Let's Encrypt, OpenSSL etc.
July 29, 2021
Occasionaly I have to deal with certs and because it’s only from time to time, I always have to search the internet to get the right commands. This post is a compilation of notes and tools which I used, so that I don’t have to look for them again.
Goal: Simply get a certificate, locally, without authority or validation.
# generate key openssl genrsa -out cert.key 2048 # generate CSR request openssl req -new -key cert.key -out cert.csr # combine to get a CRT openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.crt
Let’s Encrypt - manually get certificate for a domain
Goal: One time, on-demand, get a certificate for a specific domain/s. Don’t worry about renewal.
Get certbot and run:
sudo certbot certonly --manual
This should work on Ubuntu, but I wasn’t able to get certbot to install with
snapdin WSL 2 (Windows Subsystem for Linux). That’s why I just pulled the Windows version and used the installer. Then certbot worked in PowerShell.
Certbot asks to upload a challenge file to prove domain ownership - I used Azure Web Apps, pointed CNAME of my domain there and used Kudu (SCM) to upload the requested challenge file.
The required path has a
. in it (
/.well-known/acme-challenge/wxyzzzzzz) which makes Windows App Service unable to render it properly. This snipped in
web.config solved it:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <staticContent> <mimeMap fileExtension="." mimeType="text/plain" /> </staticContent> </system.webServer> </configuration>
Certbot produces 4 files:
DigiCert - get certificate for a domain
Goal: Use the DigiCert website to get a certificate for a domain.
opensslto generate key and csr (commands above - “Self-signed certificate”).
- Order a new cert through the web UI.
- Prove domain ownership (root domain) with DNS TXT or File (for file, use the same approach as Let’s Encrpyt, only the file path is different).
- Wait for approval.
- Download PEM files.
Get PFX for Azure Key Vault
Goal: Convert PEM certificate to a PFX with key.
Use OpenSSL (pre-installed and working on WSL Ubuntu):
openssl pkcs12 -export -out fullcert.pfx -inkey privkey1.pem -in cert1.pem -certfile chain1.pem
chain.pem instead of
fullchain.pem I was able to import the certificate to Azure Key Vault and use from there.