I’m sure you’ve answered this before, but is there any way I can get a 2048 bit certificate from Let’s Encrypt? I have multiple web servers that use an old version of cPanel and their servers simply do not support 4096 bit certificates. I have asked the hosting provider to support 4096 but after about two months I have not gotten a reply.
Simply put, I need security on these sites, and since there is no other trusted provider of free certificates I came to you.
Hi @sulliops, what software are you using to generate the certificates?
2048-bit certificates (that is, certificates specifying an RSA subject key with a 2048-bit modulus) are fully supported by the CA, but the way of generating them depends on the client software that you’re using. For example, in Certbot you can specify --rsa-key-size 2048.
Yep, it does! Another option is acme.sh. All of these are command-line applications that you would run in a terminal on your Mac, and both are reported to work well on macOS. You could then upload the PEM files that they save at the end.
Certbot is also an option, but it’s more designed to run directly on the web server, and it might add unnecessary complexity for running it on your own laptop.
It is documented on ZeroSSL.com that some services and devices might not support long keys. In that case the suggested path is to use “CSR Generator” first and choose 2048 bits, then just use that CSR with “SSL Certificate Wizard”. Please note that “CSR Generator” will produce both the CSR and your domain key - it is NOT an account key and it should NOT be used on the first step of “SSL Certificate Wizard”.
N.B. The Organization, … Country fields in CSR are optional - they are not used by LE (you may use them if you are creating a CSR for some other CA).
Awesome! I had just been looking at acme.sh and how I can use that. I believe this version of cPanel supports .pem files being uploaded so this should work perfectly. Thanks @leader for the information as well, and you can close this now.
@leader@schoen@cpu So I decided to use @leader’s suggestion to generate my certificate - and it worked the way he said it would, and so did acme.sh. I was able to generate a 2048-bit certificate for my domain name. The only issue is that the hosting provider doesn’t allow certificates that require an intermediate on this plan. I have contacted their support but it has been almost a full day without a response.
Is there any way I can generate a certificate without an intermediate, or is this impossible because of how your roots work?
It’s impossible, and also your hosting provider’s position is kind of weird. Although some certs in the past possibly didn’t require an intermediate, this practice has been banned since June of last year by CA/Browser Forum rules, which now provide that
Private Keys corresponding to Root Certificates MUST NOT be used to sign Certificates except in the following cases:
Self-signed Certificates to represent the Root CA itself;
Certificates for Subordinate CAs and Cross Certificates;
Certificates for infrastructure purposes (administrative role certificates, internal CA operational device certificates); and
Certificates for OCSP Response verification.
As of now, there is no publicly-trusted CA that is allowed to issue end-entity certificates that don’t rely on an intermediate certificate.