How create 4096 bit ssl certificate with a trusted CA root certificate

Nandhinidevi123 · February 27, 2024, 11:40am

I will try to create a 4096 SSL certificate using this command sudo certbot certonly --standalone -d mydomainname --rsa-key-size 4096. But throwing this error An unexpected error occurred: TypeError: Password was not given but private key is encrypted.
And i tried another solution for this problem create a certificate using this command sudo certbot certonly --standalone -d my domain name and after that change 2048 bit into 4096 bit using this command sudo openssl req -x509 -newkey rsa:4096 -keyout privkey.pem -out cert.pem -days 365 -subj "/CN=mydomain name"
After that 256 cert.pem converted into 4096
but this certificate shown CA root certificate is not trusted .To enable trust,install this certificates in the trusted root certification authorities store.

Nummer378 · February 27, 2024, 12:13pm

This command is probably correct, but you have inadvertently overwritten the private key managed by certbot with another private key, which you have password protected. Certbot doesn't expect its private key to be password protected, so it fails.

Nandhinidevi123 · February 27, 2024, 12:40pm

That is not a problem now. Created cert.pem using for API Integration but this certificate verification showed the certificate was not under a trusted path file . This is the major problem.I want solution for this issue

rg305 · February 27, 2024, 12:47pm

Please show this detail.

I agree (mostly)... But, I think that depending on the version of certbot, it might also need:

`--key-type rsa`

[in any case: it wouldn't hurt to add that in as well]

Nummer378 · February 27, 2024, 12:52pm

Assuming you're referring to this command:

With this command you have created a self-signed certificate (completely unrelated to Let's Encrypt) that's useless to you. If you want a (trusted) Let's Encrypt certificate, you will have to use certbot or another ACME client. Creating self-signed certificates will do nothing for you.

Nandhinidevi123 · February 29, 2024, 6:06am

I tried the below command in current version
sudo certbot certonly --standalone -d my domain name --rsa-key-size 4096
but I can't be getting a 4096-bit certificate. If any solution for get (trusted) Let's Encrypt certificate in trusted path using certbot.

orangepizza · February 29, 2024, 6:17am

R3 intermediate itself is 2048bit so not sure if it matters: (long term security should handle by FS ciphersuite

Osiris · February 29, 2024, 6:23am

Unfortunately, my crystal globe is being repaired currently. Can you please elaborate on this statement? Without more information from you we can't help you. Please add logs et cetera and provide as much details.

Also:

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Nandhinidevi123 · February 29, 2024, 7:09am

Hosting server - aws
I ran this command - sudo certbot certonly --standalone -d mydomainname --rsa-key-size 4096
It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])
certbot --version: certbot 2.9.0
i want 4096 bit certificate from trusted ca root path

webprofusion · February 29, 2024, 7:24am

Try specifying the key-type:

sudo certbot certonly --standalone -d mydomainname --key-type rsa --rsa-key-size 4096

Modern versions of certbot default to the elliptic curve key type.

rg305 · February 29, 2024, 3:36pm

system · March 30, 2024, 3:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot using csr and private key Apache and Postfix/Dovecot Server	10	4925	October 12, 2016
Error creating the certificate HELP! Help	17	2135	July 7, 2021
Problem with privkey.pem Help	2	763	April 14, 2023
Best way to create new keys for my website?	15	9181	February 8, 2016
Certbot generating blank PrivKey.pem Help	5	4081	November 23, 2019

How create 4096 bit ssl certificate with a trusted CA root certificate

--key-type rsa

Related topics

`--key-type rsa`