Certificat Client & certificat Serveur à partir d'un certificat Ca

Veuillez remplir les champs ci-dessous pour que nous puissions vous aider. Remarque : vous devez fournir votre nom de domaine pour obtenir de l’aide. Les noms de domaine des certificats émis sont tous rendus publics dans les journaux de Transparence de Certificat (par exemple, crt.sh | example.com). Par conséquent, le fait de ne pas indiquer votre nom de domaine ici n’aide pas à le garder secret, mais rend plus difficile pour nous le fait de vous aider.

Je peux lire des réponses en Anglais :oui

Mon nom de domaine est :chez.jcz.fr

Mon serveur Web est (inclure la version) :WampServer / Apache 2.4.55

Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) :Windows 10 Pro

Mon hébergeur, le cas échéant, est :chez moi sur mon ordinateur.

Bonjour à toute l'équipe de let's encrypt ainsi qu'à la communauté.

Pour mes tests, sur mon site chez.jcz.fr, j'ai besoin d'un certificat Ca.
Mais en plus, j'ai besoin d'avoir un certificat client et un certificat serveur.

Est-ce que Let's Encrypt peut me les fournir ?
Si c'est non, puis-je les créer à partir de OPENSSL ?


1 Like

There is currently no way to obtain a CA certificate from LE.
Only DV certificates are being offered [for FREE].


I asked my question incorrectly.
From the domain certificate you provide me, can I obtain a client certificate?

The Let's Encrypt domain certificates have the Key Usage set to allow both server authentication and client authentication, so they can be used for both applications. Not all servers will accept the Let's Encrypt certificate for client authentication (that is entirely the decision of the server operator!), but it is technically valid for this purpose.


For this certificate crt.sh | 8567220204 just search for

to find what @schoen commented on.

1 Like

The let's encrypt certificate extension ends with ".pem".
I would like to have a certificate that ends with the extension ".pfx" or ".p12".
If I click on your certificate, I don't get the "install PFX" option.
I can't install it from stores on Windows.
How do I go about transforming your certificate into ".pfx" or ".p12"?

If you're going to use it on Windows, you might want to use a Windows-oriented client like Certify The Web—I think you may get a PFX file directly out of it.

The file created by Certbot is what other people have traditionally called a ".cer" file. You can convert this by running the openssl pkcs12 command. For example


will turn up some examples of how to do that conversion.

Since the certificate has to be renewed frequently, it's unpleasant to have to do this manually every time! You can script the conversion process using Certbot's --deploy-hook option (which lets you specify a command to run automatically every time a new certificate is obtained), or use a more Windows-oriented Let's Encrypt client and perhaps get a PFX file in the first step.


When I request a certificate from Let's Encrypt, I get:
--> chez.jcz.fr-chain.pem
--> chez.jcz.fr-crt.pem
--> chez.jcz.fr-key.pem

In Apache 2.4.55, the installed certificates are:
--> SSLCertificateFile: chez.jcz.fr-chain.pem"
--> SSLCertificateKeyFile: chez.jcz.fr-key.pem"

In apache 2.4.55, I put: "SSLVerifyClient none".
I do the test: it works!

I create the PFX certificate:

openssl pkcs12 -export -out %TRAVAIL%\chez.jcz.fr.pfx ^ -in %LIEN%\chez.jcz.fr-chain.pem ^ -inkey %LINK%\chez.jcz.fr-key.pem ^ -passin pass:root -passout pass:root
I install it in the "personal" store.

In apache, I put: "SSLVerifyClient require".
I restart WampServer and I do the test: it does not work.
I have the error "ERR_BAD_SSL_CLIENT_AUTH_CERT".

I did the same with OPENSSL by creating my self-signed certificates.
Unlike this test, I had a ca.crt certificate that I put in the "trusted root certification authorities" store.
And a client.pfx certificate that I put in the "personal" store. And the test worked.

I took the certificate "chez.jcz.fr-crt.pem" whose name I changed to "chez.jcz.fr.crt".
I installed it in the "trusted root certification authorities" store.
The test did not work.

Perhaps you need to put one of the files from

into that same store? In order to tell your server that you want it to accept Let's Encrypt-issued certificates for this purpose?

I believe that the closest equivalent to what you did in the other test would be putting the chain file there, rather than the crt file there.


I find it strange that Let's Encrypt would supply you the chez.jcz.fr-key.pem (I would assume that is the Private Key).

1 Like

Let's Encrypt (the organization) doesn't, but the client application does.


Let's Encrypt gives me the following certificates:
--> chez.jcz.fr-crt.pem
--> chez.jcz.fr-key.pem
--> chez.jcz.fr-chain.pem

This is what I get by "wacs.exe".

I configure apache:
--> SSLCertificateFile: chez.jcz.fr-crt.pem
--> SSLCertificateKeyFile: chez.jcz.fr-key.pem
--> SSLCACertificateFile: chez.jcz.fr-chain.pem
and I do :
--> SSLVerifyClient none
my site is valid!

From these three ".pem", I was able to create with OPENSSL:
--> PFX that I put in the "my" store.
--> CRT that I put in the "root" store.
I checked, they are both valid.

Here's how I did:

[code]openssl pkcs12 -export -out %WORK%\chez.jcz.fr.pfx ^
-in %STORE%\chez.jcz.fr-crt.pem ^
-inkey %STORE%\chez.jcz.fr-key.pem ^
-certfile %STORE%\chez.jcz.fr-chain.pem ^
-password password:root

openssl crl2pkcs7 -nocrl ^
-certfile %STORE%\chez.jcz.fr-chain.pem | ^
openssl pkcs7 -print_certs ^
-out %WORK%\chez.jcz.fr.crt[/code]

In Apache I do:
--> SSLVerifyClient require

I go to my site. It offers me the client certificate.
I select it and I have the error "ERR_BAD_SSL_CLIENT_AUTH_CERT".

To get my site working properly, I need to create the right certificates:
--> chez.jcz.fr-server-key.pem
--> chez.jcz.fr-server-crt.pem
--> chez.jcz.fr.pfx
from Let's Encrypt certificates.

Can you give me a link explaining how to create these certificates?
I spent the whole weekend looking on the net, doing tests, but I can't find it.
Can you help me find the solution?

Can you show the exact URL that is failing?

I don't have a problem accessing https://chez.jcz.fr


I put "SSLVerifyClient require" back.
Try again.

That is no longer necessary with:

What do you do with this file?:

Can't WampServer just use the .pem files?



[quote="MikeMcQ"]Can you show the exact URL that is failing?
I don't have a problem accessing https://chez.jcz.fr[/quote]
This is the correct url.
I access from my computer, where my WampServer is.

I explained everything a little above.

I did exactly the same manipulations with self-signed OPENSSL certificates, and I managed to correctly configure my Apache 2.4.55.
With Let's Encrypt certificates, I can't create the PFX and CRT certificates I need.
I gave you the two "openssl" commands that I use to create these two PFX and CRT certificates.
If they are not correct, can you tell me how to get a working client certificate please?

1 Like

Here is my PFX certificate:

The certificate is valid.

If I go to "url -i6 https://chez.jcz.fr", it gives me the following error:

curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
1 Like

What is the necessity for the Certificate to be in PFX format?



We have been discussing this offline and the short answer is that it is not a good idea to use Let's Encrypt certs for Apache client authentication (SSLVerifyClient)

Why? That Apache feature checks that the client sent a cert that it can successfully chain to the root you configured. Everyone with an LE cert will chain to the same root so anyone would be authenticated. This provides too little security to be useful.

Normally this Apache verify client is used with your own "root" certs. You could, for example, create self-signed certs for this purpose. You configure the client and Apache accordingly (like using the SSLCACertificateFile). There are many guides on the internet for setting up such a configuration.

Apache also has a "require" option to restrict client certs even further. But, this is advanced Apache config well beyond the scope of this forum.


Here are some links that might be of help (but then again maybe not):