Getting a CA Certificate by sending a CSR


Hello gents!
My OS is a Microsoft Windows one and i need CA certificates to secure the communications using https.
So i want to proceed in a manual way by sending a CSR to Let’s Encrypt and getting back a SSL CA Certificate but i can’t found how to do this.
Does someone could help me by telling me the way to send this CSR and how to get back the Certificate itself?
Thanks in advance for helping me.
Best regards


You won’t be able to get Let’s Encrypt to sign a CA certificate for you. Let’s Encrypt only signs end entity certificates.

Publicly trusted CAs in general aren’t allowed to give you a CA certificate unless you’re essentially a “real” CA as well (as in: follow the Baseline Requirements, various root program policies, etc.)

Could you describe your use-case - why do you need a CA certificate?


I read edevoucoux’s question differently - that he simply wanted a certificate for his windows server, and the rest may just be language differences (or I could be wrong of course :smile: )

@edevoucoux do you just want a standard certificate for your domain, which is hosted on a windows server, and on a fully qualified domain name ?


Oh, that might be right - CA certificate as in a certificate signed by a CA. :smile:

If that’s the case, there’s a list of Windows clients, you’ll probably find something that should work for your use-case there.


Sorry but i’m a novice in these matters.
I’ve 2 peripherals for which i want to secure the communication by using https: these are Synology and APC ones. For both of them the help topics indicate that the best way to get a signed certificate is to send to a Certificate Authority (Let’s Encrypt in this case) a Certificate Signing Certificate (CSR) generated via the DSM interface for Synology and the Security Wizard software for APC in order to get back an SSL signed certificate.
Do i missed something with this process or is my explanation unclear?
Thx for your answer and to clarify and help me.
Best regards


To illustrate this, and make it more clear perhaps, i found this on the web: but as you can see, the page is not complete.


I think the most recent version of Synology’s OS (DSM 6.0) integrates directly with Let’s Encrypt, so you might be able to use that to get the certificate.

As for the rest, the way you get a CSR signed by Let’s Encrypt is to use client software which sends the CSR to Let’s Encrypt and performs domain ownership validation. Take a look at the client list from my previous post and pick a client that you feel comfortable with. Do note that certificates issued by Let’s Encrypt are only valid for 3 months, meaning that you’ll need to repeat this process manually at least that often for your APC device (Synology should completely automate this for you).


Well, thanks for the Windows list.
Effectively you’re right regarding Synology DSM 6.0, but first it doesn’t seems to work and second i have another older NAS that only supports DSM 5.0 into which this feature is not provided.
Regarding APC and your client software, i understood that it worked only in a Unix (Linux) environment, am i right?
Thanks again


The link I provided is for clients that run on Windows specifically. Certbot, which is the recommended client, only works on Unix/Linux right now, but there are a number of clients that work on Windows.


Many thanks for your answer, could you provide me such a free client working on Windows?


I personally haven’t used any of the Windows clients, so I don’t really have a recommendation here. letsencrypt-win-simple and ACMESharp appear to be the most popular ones based on GitHub stars (I can’t think of any other metrics that might help you chose :smile:).


OK, many thanks for your help that clarify this matter i don’t know too much about.
I’ll do with your help and answers, thanks for your patience :wink:


The certificate is for a specific domain name. So your NAS should have such a domain name.

A simple Google search on “dsm 6.0 lets encrypt” results in this blog/howto:


Yes you’re right Osiris,
My Synology NAS working on DSM 6.0 has it’s domain name defined but the process failed, perhaps i missed something else.
Anyway, thanks for the link you provided!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.