Generate a 2048 bit CSR and Certificates with ZeroSSL


#1

I’m sure you’ve answered this before, but is there any way I can get a 2048 bit certificate from Let’s Encrypt? I have multiple web servers that use an old version of cPanel and their servers simply do not support 4096 bit certificates. I have asked the hosting provider to support 4096 but after about two months I have not gotten a reply.

Simply put, I need security on these sites, and since there is no other trusted provider of free certificates I came to you.


#2

Hi @sulliops, what software are you using to generate the certificates?

2048-bit certificates (that is, certificates specifying an RSA subject key with a 2048-bit modulus) are fully supported by the CA, but the way of generating them depends on the client software that you’re using. For example, in Certbot you can specify --rsa-key-size 2048.


#3

Like I said, it’s cPanel. I don’t have SSH access so I was using https://zerossl.com which I suppose uses certbot to obtain certificates.


#4

I was just about to answer the same (Thanks @schoen!). I also noticed that the Certbot docs say:

–rsa-key-size N Size of the RSA key. (default: 2048)

So in theory unless you’re specifically asking for 4096 you won’t have to change any configuration with Certbot to use 2048 bit RSA keys.


#5

I don’t believe it uses Certbot at all.

The docs for the installable version suggest you can give it a 2048 argument.

@leader Do you know if the online tools support this request?

(Mistakenly @'d Serverco instead of @leader initially - oops!)


#6

Aha! @leader is the developer of that tool, which internally uses le.pl, not Certbot. It would be up to @leader to choose to support particular kinds of certificates as an option on the site.

As an alternative, you could also download le.pl (or a different client application) onto your own computer and run it there, which might give you more options in the course of cert generation.


#7

Will le.pl run on Mac? All of my computers are Mac. Or can I use the Mac terminal (which has OpenSSL built in) to generate the keys and use le.pl to generate the certificate?


#8

Yep, it does! Another option is acme.sh. All of these are command-line applications that you would run in a terminal on your Mac, and both are reported to work well on macOS. You could then upload the PEM files that they save at the end.

Certbot is also an option, but it’s more designed to run directly on the web server, and it might add unnecessary complexity for running it on your own laptop.


#9

It is documented on ZeroSSL.com that some services and devices might not support long keys. In that case the suggested path is to use “CSR Generator” first and choose 2048 bits, then just use that CSR with “SSL Certificate Wizard”. Please note that “CSR Generator” will produce both the CSR and your domain key - it is NOT an account key and it should NOT be used on the first step of “SSL Certificate Wizard”.

N.B. The Organization, … Country fields in CSR are optional - they are not used by LE (you may use them if you are creating a CSR for some other CA).


#10

@sulliops, hopefully we’ve given you some good options here together with @leader’s reply.


#11

Awesome! I had just been looking at acme.sh and how I can use that. I believe this version of cPanel supports .pem files being uploaded so this should work perfectly. Thanks @leader for the information as well, and you can close this now.


#12

hi all

just rounding this out in case someone else wants another option.

Below is OpenSSL config file to do the same

HOME = .
RANDFILE = $ENV::HOME/.rnd
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]

CN = your domain
[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]

DNS.1 =your domain


#13

Here is the acme.sh doc: https://acme.sh


#14

@leader @schoen @cpu So I decided to use @leader’s suggestion to generate my certificate - and it worked the way he said it would, and so did acme.sh. I was able to generate a 2048-bit certificate for my domain name. The only issue is that the hosting provider doesn’t allow certificates that require an intermediate on this plan. I have contacted their support but it has been almost a full day without a response.

Is there any way I can generate a certificate without an intermediate, or is this impossible because of how your roots work?


#15

Hi @sulliops,

It’s impossible, and also your hosting provider’s position is kind of weird. Although some certs in the past possibly didn’t require an intermediate, this practice has been banned since June of last year by CA/Browser Forum rules, which now provide that

Private Keys corresponding to Root Certificates MUST NOT be used to sign Certificates except in the following cases:

  1. Self-signed Certificates to represent the Root CA itself;
  2. Certificates for Subordinate CAs and Cross Certificates;
  3. Certificates for infrastructure purposes (administrative role certificates, internal CA operational device certificates); and
  4. Certificates for OCSP Response verification.

As of now, there is no publicly-trusted CA that is allowed to issue end-entity certificates that don’t rely on an intermediate certificate.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.