There is currently no way to obtain a CA certificate from LE.
Only DV certificates are being offered [for FREE].
There is currently no way to obtain a CA certificate from LE.
I asked my question incorrectly.
From the domain certificate you provide me, can I obtain a client certificate?
The Let's Encrypt domain certificates have the Key Usage set to allow both server authentication and client authentication, so they can be used for both applications. Not all servers will accept the Let's Encrypt certificate for client authentication (that is entirely the decision of the server operator!), but it is technically valid for this purpose.
For this certificate crt.sh | 8567220204 just search for
to find what @schoen commented on.
The let's encrypt certificate extension ends with ".pem".
I would like to have a certificate that ends with the extension ".pfx" or ".p12".
If I click on your certificate, I don't get the "install PFX" option.
I can't install it from stores on Windows.
How do I go about transforming your certificate into ".pfx" or ".p12"?
If you're going to use it on Windows, you might want to use a Windows-oriented client like Certify The Web—I think you may get a PFX file directly out of it.
The file created by Certbot is what other people have traditionally called a ".cer" file. You can convert this by running the
openssl pkcs12 command. For example
will turn up some examples of how to do that conversion.
Since the certificate has to be renewed frequently, it's unpleasant to have to do this manually every time! You can script the conversion process using Certbot's
--deploy-hook option (which lets you specify a command to run automatically every time a new certificate is obtained), or use a more Windows-oriented Let's Encrypt client and perhaps get a PFX file in the first step.
When I request a certificate from Let's Encrypt, I get:
In Apache 2.4.55, the installed certificates are:
--> SSLCertificateFile: chez.jcz.fr-chain.pem"
--> SSLCertificateKeyFile: chez.jcz.fr-key.pem"
In apache 2.4.55, I put: "SSLVerifyClient none".
I do the test: it works!
I create the PFX certificate:
openssl pkcs12 -export -out %TRAVAIL%\chez.jcz.fr.pfx ^
-in %LIEN%\chez.jcz.fr-chain.pem ^
-inkey %LINK%\chez.jcz.fr-key.pem ^
-passin pass:root -passout pass:root
I install it in the "personal" store.
In apache, I put: "SSLVerifyClient require".
I restart WampServer and I do the test: it does not work.
I have the error "ERR_BAD_SSL_CLIENT_AUTH_CERT".
I did the same with OPENSSL by creating my self-signed certificates.
Unlike this test, I had a ca.crt certificate that I put in the "trusted root certification authorities" store.
And a client.pfx certificate that I put in the "personal" store. And the test worked.
I took the certificate "chez.jcz.fr-crt.pem" whose name I changed to "chez.jcz.fr.crt".
I installed it in the "trusted root certification authorities" store.
The test did not work.
Perhaps you need to put one of the files from
into that same store? In order to tell your server that you want it to accept Let's Encrypt-issued certificates for this purpose?
I believe that the closest equivalent to what you did in the other test would be putting the
chain file there, rather than the
crt file there.
I find it strange that Let's Encrypt would supply you the chez.jcz.fr-key.pem (I would assume that is the Private Key).
Let's Encrypt (the organization) doesn't, but the client application does.
Let's Encrypt gives me the following certificates:
This is what I get by "wacs.exe".
I configure apache:
--> SSLCertificateFile: chez.jcz.fr-crt.pem
--> SSLCertificateKeyFile: chez.jcz.fr-key.pem
--> SSLCACertificateFile: chez.jcz.fr-chain.pem
and I do :
--> SSLVerifyClient none
my site is valid!
From these three ".pem", I was able to create with OPENSSL:
--> PFX that I put in the "my" store.
--> CRT that I put in the "root" store.
I checked, they are both valid.
Here's how I did:
[code]openssl pkcs12 -export -out %WORK%\chez.jcz.fr.pfx ^
-in %STORE%\chez.jcz.fr-crt.pem ^
-inkey %STORE%\chez.jcz.fr-key.pem ^
-certfile %STORE%\chez.jcz.fr-chain.pem ^
openssl crl2pkcs7 -nocrl ^
-certfile %STORE%\chez.jcz.fr-chain.pem | ^
openssl pkcs7 -print_certs ^
In Apache I do:
--> SSLVerifyClient require
I go to my site. It offers me the client certificate.
I select it and I have the error "ERR_BAD_SSL_CLIENT_AUTH_CERT".
To get my site working properly, I need to create the right certificates:
from Let's Encrypt certificates.
Can you give me a link explaining how to create these certificates?
I spent the whole weekend looking on the net, doing tests, but I can't find it.
Can you help me find the solution?
Can you show the exact URL that is failing?
I don't have a problem accessing
I put "SSLVerifyClient require" back.
That is no longer necessary with:
What do you do with this file?:
WampServer just use the
[quote="MikeMcQ"]Can you show the exact URL that is failing?
I don't have a problem accessing https://chez.jcz.fr[/quote]
This is the correct url.
I access from my computer, where my WampServer is.
I explained everything a little above.
I did exactly the same manipulations with self-signed OPENSSL certificates, and I managed to correctly configure my Apache 2.4.55.
With Let's Encrypt certificates, I can't create the PFX and CRT certificates I need.
I gave you the two "openssl" commands that I use to create these two PFX and CRT certificates.
If they are not correct, can you tell me how to get a working client certificate please?
Here is my PFX certificate:
The certificate is valid.
If I go to "url -i6 https://chez.jcz.fr", it gives me the following error:
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
What is the necessity for the Certificate to be in PFX format?
We have been discussing this offline and the short answer is that it is not a good idea to use Let's Encrypt certs for Apache client authentication (
Why? That Apache feature checks that the client sent a cert that it can successfully chain to the root you configured. Everyone with an LE cert will chain to the same root so anyone would be authenticated. This provides too little security to be useful.
Normally this Apache verify client is used with your own "root" certs. You could, for example, create self-signed certs for this purpose. You configure the client and Apache accordingly (like using the SSLCACertificateFile). There are many guides on the internet for setting up such a configuration.
Apache also has a "require" option to restrict client certs even further. But, this is advanced Apache config well beyond the scope of this forum.
Here are some links that might be of help (but then again maybe not):
- How to Configure Mutual TLS for Apache 2 | DocuSign
- mTLS with Apache HTTP server. Understanding mTLS and setting it up… | by Vignesh Thirunavukkarasu | Medium
- Configuring Mutual SSL on Apache HTTP Server
- Mututal TLS — Apache Traffic Server 10.0.0 documentation
- Mutual TLS with Apache and PHP - PHP - Dave Gebler
- Mutual TLS Client Authentication and Certificate Bound Access Tokens - Gluu Server 4.0 Docs
- Configuring mTLS for Apache Kafka - Decodable
- mTLS Mutual authentication - Wikipedia
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.