Notes for SSL and certificates
openssl lets-encrypt

Useful notes and commands to use when dealing with SSL certificates - Let's Encrypt, OpenSSL etc.
July 29, 2021

Occasionaly I have to deal with certs and because it’s only from time to time, I always have to search the internet to get the right commands. This post is a compilation of notes and tools which I used, so that I don’t have to look for them again.

Self-signed certificate

Goal: Simply get a certificate, locally, without authority or validation.

Solution:

# generate key
openssl genrsa -out cert.key 2048

# generate CSR request
openssl req -new -key cert.key -out cert.csr

# combine to get a CRT
openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.crt

Let’s Encrypt - manually get certificate for a domain

Goal: One time, on-demand, get a certificate for a specific domain/s. Don’t worry about renewal.

Solution:

Get certbot and run:

sudo certbot certonly --manual

This should work on Ubuntu, but I wasn’t able to get certbot to install with snapd in WSL 2 (Windows Subsystem for Linux). That’s why I just pulled the Windows version and used the installer. Then certbot worked in PowerShell.

Certbot asks to upload a challenge file to prove domain ownership - I used Azure Web Apps, pointed CNAME of my domain there and used Kudu (SCM) to upload the requested challenge file.

The required path has a . in it (/.well-known/acme-challenge/wxyzzzzzz) which makes Windows App Service unable to render it properly. This snipped in web.config solved it:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
 <system.webServer>
     <staticContent>
         <mimeMap fileExtension="." mimeType="text/plain" />
     </staticContent>
 </system.webServer>
</configuration>

Certbot produces 4 files:

DigiCert - get certificate for a domain

Goal: Use the DigiCert website to get a certificate for a domain.

Solution:

  1. Use openssl to generate key and csr (commands above - “Self-signed certificate”).
  2. Order a new cert through the web UI.
  3. Prove domain ownership (root domain) with DNS TXT or File (for file, use the same approach as Let’s Encrpyt, only the file path is different).
  4. Wait for approval.
  5. Download PEM files.

Get PFX for Azure Key Vault

Goal: Convert PEM certificate to a PFX with key.

Solution:

Use OpenSSL (pre-installed and working on WSL Ubuntu):

openssl pkcs12 -export -out fullcert.pfx -inkey privkey1.pem -in cert1.pem -certfile chain1.pem

By using chain.pem instead of fullchain.pem I was able to import the certificate to Azure Key Vault and use from there.

comments powered by Disqus