Can I create client certificates for a received LetsEncrypt certificate?


#1

Colleagues, I apologize if I ask the question already discussed, but I did not find an answer to it. (Perhaps not looking very well.)

My system is protected by a LetsEncrypt certificate.
Can I create client certificates for it to authorize technical connections to remote units of my system?

Thank you in advance for the answer to the essence of the question. I apologize if I ask about well-known things.

Ogogon.


#2

Hi,

Technically, yes…
The certificate policy does include client authentication…

However, depending on your limit of authentication level (e.g. verify CA, verify intermediate CA, verify hostname (cn) ), you might not want to use a trusted CA / intermediate CA with the authentication…
Because if you misconfigured the system, all persons / servers with an Let’s Encrypt certificate (or much worse, A DST issued certificate) could pass the validation.

It’s much more better to generate a private CA (and intermediate CA as well as client certificate) to use with authentication.

For now, the best (and complete) guide to this is
https://jamielinux.com/docs/openssl-certificate-authority/

Thank you


#3

I would say that if you want to create individual client certificates (for different machines or people), this is outside the scope of what Let’s Encrypt offers. A tutorial like the one @stevenzhu linked to would be more useful because you will probably want to create your own certificate authority for this purpose.

Using Let’s Encrypt’s DV certificates directly as client certificates doesn’t offer a lot of flexibility, and probably doesn’t enhance overall security in most configurations.


#4

As @stevenzhu mentioned, the technical answer is that you can use a Let’s Encrypt certificate as a client certificate. You cannot, however, use your Let’s Encrypt certificate to sign additional client certificates, which is most likely what you would want to do to authorize remote users.

The best option, as mentioned, would be to use your own CA for this process, as that allows for much more direct control, and client certificates don’t have to be publicly trusted by all clients, just trusted by your server. Since it’s also issuing them, this shouldn’t be a problem.