How can I sign a certificate using Let's Encrypt root certificate?


I wish to enable SSL on my server. In order to sign my self generated certificate with Let’s Encrypt root or intermediate CA certificates using openssl or keytool, I do require access to Let’s Encrypt root or intermediate CA private keys.

Create a server key :

openssl genrsa -out server.key  1024

Create a server csr :

openssl req -new -key server.key -out server.csr

You are about to be asked to enter information etc.

Sign it : (isrgrootx1.der - Let’s Encrypt root CA certificate. We can also instead use intermediate CA cert’s)
We do need isrgrootx1.key as well for certificate signing.

openssl x509 -req -days 365 -in server.csr -CA isrgrootx1.der \
-CAkey isrgrootx1.key -set_serial 01 -out server.crt

Please let me know how can I generate a certificate signed by Let’s Encrypt root or intermediate CA certificates ?


You will not get those keys as that would compromise the whole CA. They are called private keys after all.


@giriraj.sharma27, as @mkoko says, only ISRG can possess the ISRG root certificate. It is only used in accordance with the Let’s Encrypt certification practice statement and certificate policy to issue certificates whose contents the Let’s Encrypt CA has verified. The private key can’t be given to other parties because then those parties could act with the authority of the CA, undermining the CA’s legal and policy responsibility to control what signatures are made in the CA’s name.

It isn’t possible to get certificates issued by Let’s Encrypt yet. This will become possible once the service is publicly available in November. At that time, all of the certificates will be issued by the Let’s Encrypt CA itself, not by its end-users. The end-users will prove control of the domains that they’re requesting certificates for, usually using the Let’s Encrypt client software to automate the request and proof process. They also do not have to manually create CSRs because the client software can also automate creation of the CSR.


@schoen @mkoko Thanks for the response. So, I must wait until Let’s Encrypt service is publicly available in November.