How to create a SHA-1 certificate with Let's Encrypt

DST Root CA X3's expiration date has come into effect, and I would like to know how to create a SHA-1 certificate with Let's Encrypt.

Previously, I had been creating certificates as follows:

① Use the certbot command to create fullchain.pem
【Use Command】
certbot certonly --manual -d xxx.jp -d xxx.jp --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --preferred-chain "DST Root CA X3"

② Download the DST Root CA X3 root certificate
③ Combine fullchain.pem, isrg-root-x1-cross-signed.pem, and privkey.pem, creating a SHA-1 SSL certificate

From October 1, 2024, will there be any other methods to create a SHA-1 certificate other than the above procedure?

I do not believe Let’s Encrypt supports SHA-1 as it is old and broken.

Edit

How does that create a SHA-1 certificate :question:

Hello @MasahiroMorita, welcome to the Let's Encrypt community. :slightly_smiling_face:

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

4 Likes

Hi @MasahiroMorita,

Please also read this Rejecting SHA-1 CSRs and validation using TLS 1.0 / 1.1 URLs.

3 Likes

Here is the environment information that can be answered immediately.

My domain is:facepayment.jp

I ran this command:
certbot certonly --manual -d facepayment.jp -d *.facepayment.jp --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --preferred-chain "DST Root CA X3"
cd /etc/letsencrypt/live/facepayment.jp/
ll /var/tmp
cp -p -i fullchain.pem /var/tmp/fullchain.pem
cp -p -i privkey.pem /var/tmp/privkey.pem
cd /var/tmp/
cat fullchain.pem isrg-root-x1-cross-signed.pem privkey.pem > /var/tmp/facepayment.jp.pem

It produced this output:
fullchain.pem
privkey.pem
isrg-root-x1-cross-signed.pem
facepayment.jp.pem

The operating system my web server runs on is (include version):
RHEL 7.9

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

What kind of web server or TLS Service needs the private key in the same file?

And, why can't you just do:

cat fullchain.pem privkey.pem > /var/tmp/facepayment.jp.pem
4 Likes

sha-1 in public trusted certificate is banned like in 2017, so you surely don't need that:

3 Likes

The cross-sign of ISRG Root X1 from IdenTrust's DST Root CA X3 expired yesterday, so your workflow is not workable any longer.

Please make sure you only send a chain chaining up to a ISRG root.

3 Likes

@MasahiroMorita can you tell us more about what you need regarding from a technical perspective? Why SHA-1?

Your certificates from Let's Encrypt have always been a sha256 signature crt.sh | facepayment.jp but they can have a SHA-1 fingerprint (sometimes used as a certificate thumbprint/identifier in places).

Are you trying to support old Android devices?

4 Likes