Generate Certificate from CSR

Hi. I have a server running an application. (MobileIron). This applicastion takes control of the shell, so i do not have direct shell acess to the server, when i SSH, i go straight into the application itself.

The application has a web interface, to add certificates. There is a button to generate CSR. I fill in the information requested, and it outputs me a text file with: (i deleted the characters)

-----BEGIN CERTIFICATE REQUEST-----
[…]
-----END CERTIFICATE REQUEST-----

-----BEGIN RSA PRIVATE KEY-----
[…]
-----END RSA PRIVATE KEY-----

It tells me to upload this information my the CA, and it get the certificate.
The problem is, letscrypt does not let me upload this csr. I have tried using https://zerossl.com/, but it requires that i validate the server via HTTP (impossible, since i dont have access to the file system to include the verification files) or via DNS (also impossible, because it is handled by annother area of my company).

How do i generate the certificate by possessing only the Certificate Request and the Private Key???

Hi @yurividal,

You can’t. You need to probe to Let’s Encrypt that you control the domain somehow. In this case, putting a specifc file with specific content in yourdomain.tld/.well-known/acme-challenge/thefile and this file must be reached from internet. The other way is creating a TXT record for _acme-challenge.yourdomain.tld with a token given by Let’s Encrypt… so if you can’t add files nor txt records for the domain then you can’t probe you control the domain so it is impossible to issue a cert for it.

Maybe you could use another CA but first ask them what are the methods they use to validate the domain just in case you can’t use any of them too.

Also, if you could use a proxy in front of that app you could redirect the challenge request to a dir you control and pass the other requests to the app so with this proxy you could validate the challenge and use it to terminate ssl connections and redirecting them to the app.

Anyway, if DNS support is provided in any other area in your company and you are trying to issue a certificate to secure an app used in your company it should be easy to contact them and explain the problem you have and get a solution because with another CAs you could have the same problem to get the cert.

Good luck,
sahsanu

You don’t. You must be able to do one of the two things that zerossl.com says, and do it at least every three months. If neither of those is possible in any way, then you’ll need to use a different CA.

Now, there are some potential workarounds. If the folks who do manage your DNS will create a CNAME record for _acme-challenge.your_fqdn, you might be able to handle the DNS validation on a different server. Or if there’s some kind of reverse proxy handling your web traffic, it might be able to direct requests for your_fqdn/.well-known/acme-challenge to someplace you do control. But if nothing like that is possible, you won’t be able to get a cert from Let’s Encrypt.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.