Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My web server is (include version):
nginx
The operating system my web server runs on is (include version):
ubuntu 18.04
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
dont know
i have successuly got the security running on the webserver. The s secure sysmbol is showing. No problems here. I have backed up the folder “letsencrypt” so that is in a safe place.
However how do i associate the private key to a web browser when i want to access the secure server? thanks in advance.
Can you elaborate on why you want to do this? You can already access your site over HTTPS without doing anything extra, right?
With the usual way that SSL certificates are setup, you don't need to do anything extra on the browser side.
The authentication for most HTTPS sites only works one way - the server provides a proof to the browser about its identity, but not the other way around.
There is also a fairly exotic scenario called "mutual authentication", where the browser proves its identity to the server as well - using a client certificate and private key. There are pretty much no sites on the public internet which use this - it's largely an internal/enterprise thing.
Are you using client certificates? If not, the answer to your question is that you don't need to do anything.
One thing that I’ve tended to forget is that Let’s Encrypt certificates do include the Client Authentication EKU, so they technically could be used for client authentication. But I agree that Let’s Encrypt certificates aren’t very suitable for this application for the reason that you mentioned—because the subject of the certificate is always a hostname (not a person or account).
Yes, in principle the organization could use Let’s Encrypt certificates that way. It’s not clear that using publicly-trusted certificates would be a benefit, though.
the certificates would have to be publicly logged
the certificates would have to have a 90-day duration
the organization would have to complete some kind of ACME challenge for each certificate
someone who managed to misissue a certificate inside the domain could potentially abuse it for client authentication
If the organization made its own internal CA for this purpose, none of these limitations or risks would have to apply.