Convert LE Cert into PKCS#12 for Reverse Proxy Protection


#1

Hello, First off I think this project is awesome :smile:

I am running Sophos UTM 9.3 and with Web Server protection on. I hope this might help someone else :slight_smile:
This is how I got the LE Test certs to work in UTM 9.3
First off I needed to DNAT the web server that I was creating a LE cert for
Once the DNAT was in place, on the webserver I ran

./letsencrypt-auto -d dev.remarkable.com

Then I ran the following openssl command with the newly created certs:

openssl pkcs12 -export -out dev-remarkable.pk12 -in cert2.pem -inkey privkey2.pem -name Cert-Name 

Then it was just a matter of uploading the pkcs cert into the UTM certificate manager
Select the newly uploaded cert in the Web Server Protection section.

If someone else has a better way, I am all ears :smile:

Cheers
R


Sophos UTM & LE Cert Conversion to PKCS#12 for Reverse Proxy Protection
#2

KeyStore Explorer (http://keystore-explorer.sourceforge.net/) is a great tool for many tasks like this.


#3

Thanks for posting this tip, @VWR32NZ! I’m sure it will be helpful to other people.

I’d like to remind anyone who transfers private key material from one machine to another (as many tasks and uses of Let’s Encrypt certificates may call for) to be careful with the private keys because they could be used to impersonate your web site if somebody else got ahold of them. If you upload them over the Internet, make sure that the file transfer method you’re using is encrypted (like scp or SFTP). if you copy them on a physical medium like a USB stick, make sure that the keys are securely deleted from the medium afterward.

It’s hard to be careful enough with copies of private keys, but I hope people will be aware of their sensitivity when working with them.


#4

@schoen thank you for those sound words :smile: and I should of prefixed my note with those warnings, I work in IT Sec so the securing of private key material is second nature. I would strongly recommend anyone doing this, to do the PKCS#12 creation on the server where the LE client created the keys on and a PKCS#12 passphase length greater than 15 characters :smile:


#5

@mkoko, awesome thank you for the link, I will check it out, it is great to have additional tools in one’s toolbox. :slight_smile: