Me too. Still bad practice though. 
2 Likes
I see no actual commands that were run, So... you may be right... I may be crazy!
2 Likes
The provided guide attempts to "steer you" to use certbot as opposed to their own internal CA.
I could use a phone I built in my basement out of transistors or I could go buy a phone from a reputable company...
2 Likes
But how do you cut down a tree with any phone?
The whole MDM phone process seems way outside that guide (or anything doable using LE certs).
2 Likes
Interesting to try though...
Insert square peg A into round hole B then gently tap with sledgehammer. Recycle remains and try something else.
2 Likes
I can see how a phone being setup for MDM would need to know who to trust for such obligatory command execution...
But why would that definition (of who is in charge) require sending the private key to the phone is just inexplicable.
I doubt that step is from any guide.
This whole exercise seems like a hodge-podge of random instructions gathered from various unassociated processes. In whole, taken completely out-of-context and merely used to suit ones own needs.
2 Likes
I don't know about "password encrypting the certificate", but it is possible this system uses an password on the Private Key tied to the CSR and Signed Certificate.
There is also a weird standard/feature/extension where a CSR (and maybe a certificate) have a "challenge passphrase". I believe that is embedded in the CSR unencrypted (as plaintext) and possibly in the Signed Certificate as well, and that can be extracted. From what I understand, that acts more like a UID that is known by the CA and the requester, and is used to tie the certificate to an account.
As all the discussions above illustrate, there are a lot of ways to interpret this question. The details of this situation are very specific to this "Zentyal Server" and the applications being used. This does not seem to be related to LetsEncrypt or ACME.
4 Likes
Yes, a CSR can contain a passphrase (which cPanel still provides an option to enter), but as you mentioned it's stored as plaintext.
I concur. I still believe my previous analysis holds:
2 Likes
I did try both ways The certbot and the gui
2 Likes
I am able to run this process using Windows where I create a user certificate and then export it... it asks for a password to encrypt the downloaded cert. I'm really just trying to figure out how to do the same with the certs from the Zentyal GUI... I mean I'm not married to it... I'm just looking for a way to take the certs I get from Zentyal and perform the same process where I have a cert and a password.
2 Likes
You can encrypt the private key using openssl before transporting the private key and certificate. You don't need to encrypt the certificate itself.
2 Likes
Thanks I was able to acheive what I needed with the 2 openssl commands.
openssl rsa -in cert-private-key.pem -out cert-private-key.key
openssl pkcs12 -export -out cert.pfx -inkey cert-private-key.key -in cert.crt
Thanks!
3 Likes
I'm glad you got what you needed.
But I'm still left with a sense of "What just happened here?"
Now that you have that and used it...
What are you now able to do?
2 Likes
It still holds. I see a total of 4 possibilities - 2 you identified an 2 I identified.
3 Likes
I see 3.x. 
We both suspected the encryption of the private key. I said "certificate", which wasn't very precise.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.