Getting CSR signed by LE on Windows server 2016

riteshbansal696 · 2019-01-25 17:42:54 UTC

Hi Guys,

I am using windows server hosting hostname.company.com, since I already have Certificate signing request (CSR) from SAP, how can I get it signed by LE. I also want to automatically renew this signed certificate. Please keep in mind that later I will use the signed cert and import or put it in SAP Server PSE. I want to automate the process of CSR getting signed and receiving a signed cert from CA. If you require more details then let me know.

I have found many solution but with no clear cut idea or implementation.

The operating system my web server runs on is : Windows Server 2016

I can login to a root shell on my machine : Yes, I have all administrative rights.

schoen · 2019-01-25 18:20:04 UTC

Hi @riteshbansal696,

Automated renewal with Let’s Encrypt uses Let’s Encrypt client software applications

which you ordinarily install on your web server.

The list of client implementations there unfortunately doesn’t highlight which ones do or don’t support importing an externally-generated CSR, so you would have to read the documentation for some of those options to see whether they can deal with this. (Most Let’s Encrypt clients instead generate a private key themselves and expect you to configure the web server to point at that key—or help you configure the web server to point at that key.)

Another option might be terminating HTTPS with a reverse proxy running on your server. For example, you could use nginx with a proxy_pass directive to forward requests to your SAP service. In that case, you would only need to get a certificate for nginx, and not need to use SAP’s HTTPS support at all (assuming that the SAP software is happy to operate behind a reverse proxy).

riteshbansal696 · 2019-01-26 09:32:54 UTC

Hi Schoen,

Thanks for your quick response. Do u have any idea about acme-nosudo ?

Does it suits my requirements ? Automate the process of CSR getting signed by ACME (LE) ?

schoen · 2019-01-26 16:19:25 UTC

This minimalist client isn’t really compatible with full automation; you’ll see that it stops in the middle to ask you to run a command on the server in order to complete the challenge from the certificate authority. That’s something you would have to do every time you renewed your certificate.

Maybe we could ask @JuergenAuer, who’s much more familiar with Windows, for any ideas.

JuergenAuer · 2019-01-26 17:58:42 UTC

Hi @riteshbansal696

I am using Windows. But I have a special situation, so I’m not really familiar with other windows clients and their options. Instead, I’ve created my own client.

If I know it correct,

allows different command with Powershell. But checking some clients, I needed an own solution.

rmbolger · 2019-01-26 18:51:07 UTC

Posh-ACME does indeed support using an existing CSR. It’s also primarily used with the DNS challenge type via plugins (see supported providers). You can use it with other challenge types as well, but you’ll have to write a bit more code and deal with actually handling the challenge yourself. There’s an advanced tutorial that walks you through the process.

I have no clue what it takes to import a cert into SAP (and it’s highly unlikely you’ll find an existing client that does). But you’ll have to figure out how to automate that part as well.

riteshbansal696 · 2019-01-26 19:35:30 UTC

Thanks, for response.
Since I don’t want my SAP network to be accesable by public users, so I dont want to run it inside a proxy server @schoen (I generated TXT record with value and put it in DNS provider and got a signed certificate, that I can do)
I have a question that, If I generate CSR by using hostname.company.com as DN in SAP application (or any) and by LE on Windows will the CSR be same.? Will the CSR generated be same regardless of any application that generated it ? Also the signed certificate will be valid for all the applications that generated it. ?
Keeping in mind that I will keep DNS, CN, O and C values to generate CSR same.

jmorahan · 2019-01-26 20:01:59 UTC

Regardless of what’s in the CSR, Let’s Encrypt won’t issue any certificate with O or C values or anything else it can’t verify automatically - only the domain name(s).

I’m not sure what you mean by this, but there is no restriction on using the certificate with multiple applications. You may need to convert it into a different format depending on what each application requires.