Generate certificate on local machine


#1

Hello. I’m new to LetsEncrypt. I have installed certificates 2 months ago. For a domain and a few subdomains. They are all on one server, but I want to move one subdomain to a separate VPS.

So I guess the simplest way to make it work would be to renew the certificates on primary VPS, move the subdomain to another VPS and copy generated certificates there. And when time comes to renew them again, I would have to copy them again to the secondary server. Am I right?

This got me thinking, couldn’t I just install certbot on my computer, generate certificates from there and upload them every 2 months to my servers? If that’s possible, how could I do that?


#2

To issue certificates Let’s Encrypt need proof you control each name in the certificate. Machines which serve up a website with that exact name can easily prove this. So the new VPS should be able to run certbot or another client to get certificates for the site it serves, no problem.

You can also prove control to Let’s Encrypt via DNS changes. If you’re comfortable doing this from some other computer you can issue the certificates there. But if that’s not something you’ve done before it’s probably not the easiest option.


#3

You could use the GetSSL client - it’s specifically designed for running on one computer, and validating via DNS or anther server, and uploading the certs to those servers automatically.

On the other hand, unless you want all the different subdomains on the same cert, I’d have thought it was as easy in this case just to install certbot on each VPS and create the certs for the server on the server ( assuming they are standard, modern VPS )


#4

Oh, so I can have a cert per subdomain? I thought I had to have one cert for top level domain.

So if I wanted to generate certificates on my computer, I would have to generate new ones/not worry about renewing existing ones?

Does certbot support DNS validation or I have to use GetSSL?

By the way, when the certificate file is updated (and path to cert file doesn’t change), do I have to restart Apache server?


#5

Yes.

By default GetSSL would copy and use your current cert, until it was due for renewal - although you could just create new certs if you wanted to.

Certbot doesn’t currently support the DNS challenge, although it is planned soon. There are a number of alternate clients that support the DNS challenge ( certainly all the Bash and Go ones )

You need to either restart or reload apache (I prefer reload, as it doesn’t affect existing connections ).


#6

I got everything set up. Thank you for all your help. GetSSL was exactly what I wanted.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.