Certificate for a server which is not https

pcruzavant · February 3, 2022, 1:24pm

We need sign in of a Certificate for a server which is not https. We can generate the CSR. How do we sign in it

9peppe · February 3, 2022, 1:30pm

The same way as always.

You do a validation (http-01, tls-alpn-01, or dns-01) and once you have the certificate you install it, telling the acme client how to renew and install it in your whatever (mailserver? ftp?).

If you don't have a webserver on the machine, several acme clients can spin up their own.

rg305 · February 4, 2022, 3:35am

What operating system (and version) are you using?

pcruzavant · February 4, 2022, 2:06pm

We are using Windows Server 2012

rg305 · February 4, 2022, 3:45pm

Getting Started - Let's Encrypt (letsencrypt.org)

ACME Client Implementations - Let's Encrypt (letsencrypt.org)

webprofusion · February 5, 2022, 6:33am

You could try out the app I develop https://certifytheweb.com - it's a full GUI for windows.

Do you specifically need to use your own CSR - which service are you trying to add the certificate to? You can specify a custom CSR in Certify when adding a new managed certificate under Certificate > Advanced > Signing & Security.

pcruzavant · February 23, 2022, 10:21pm

Hi webprofusion,

I downloaded the app and followed the instructions provided.
When I load my CSR and after pushing the Request Certificate button, a message box popups and says that 'One or more domains specified are internal hostnames. Certificates for internal hostnames are not supported by Certificate Authority"

The service we have is a Server (non hosted). The server was developed in C++ and uses woldSSL library.

Please help.

Thanks,
Pedro

9peppe · February 23, 2022, 10:24pm

This means you cannot have a publicly trusted certificate for those hostnames.

You have to use a domain name that is in the global DNS infrastructure.

webprofusion · February 24, 2022, 1:03am

Yes, as @9peppe says, Let's Encrypt (etc) cannot provide certificates for an internal hostname e.g. srvapp01 or localhost, they can instead provide certificates for fully qualified names that are in your public dns e.g. srvapp01.yourdomain.com

To create internal certificates you can either:

create a self signed cert using a tools (e.g. New-SelfSignedCertificate (pki) | Microsoft Learn) then when users access it they have to accept the certificate warning.
create your own internal certificate authority and distribute the root or intermediate certificate to your client machine trust stores. (e.g. smallstep-ca, MS AD CS Install the Certification Authority | Microsoft Learn)

It's usually easiest just to use your public domain dns and get a proper public certificate (your service does not have to be public if you are using DSN validation to validate your domain with Let's Encrypt). You would then direct users etc to use your system using it's fully qualified name

rg305 · February 24, 2022, 1:06am

If you care to show us the CSR file, we will show which entries are unable to be validated / "certified".

system · March 26, 2022, 1:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.