How to get SSL Certificate without Auto install (manually)?


#1

Hello,
I have installed SSL certificate to my domain, via Russian hosting company Beget.ru (which supports auto install of Let’s Encrypt sertificates), but I also have a subdomain for that domain and want to install SSL on this subdomain too, but I can’t install SSL on this subdomain like on the main domain (via hosting company), because this subdomain is directed to another server.
So I need to install SSL for my subdomain on the other server where it is directed, but problem is that this server needs me to upload PEM file, where would be merged certificate, and its private key (“To link the certificate you need to generate pem-file merging certificate, intermediate certificates (if it exist) and the private key”).

So I need sertificate and it’s private key to generate PEM file which will help me to install SSL sertificate for subdomain on another server. Is there anyway to get certificate by manual?


#2

It’s not quite clear whether you have an access to a command line to generate your certificate or not (since you might be using something specific for that hosting company you mentioned).

If you can use a command line, then it depends on what kind of Let’s Encrypt client is installed. For example, the official one has an option for manual mode. I do believe that alternative clients would have something similar, though I can only be sure about mine (Crypt::LE), since I haven’t tested those.

If you have your Let’s Encrypt account key for example in the account.key file and your subdomain is “some.domain.com”, then running it like this would do the job:

le.pl --key account.key --csr some-domain.csr --csr-key some-domain.key --crt some-domain.crt --domains “some.domain.com” --generate-missing --live

You would be asked to put a specific text into a file with a specific name under .well-known/acme-challenge/ in the webroot directory of that server which your subdomain is pointing to and press Enter. After that you can find the key and certificate you’ve asked for in some-domain.key and some-domain.crt.


#3

I don’t have access to command line.
I need something like this:

-----BEGIN CERTIFICATE----- MIIEAzCCAuugAwIBAgIBADANBgkqhkiG9w0BAQUFADCBmzELMAkGA1UEBhMCUlUx DzANBgNVBAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MRAwDgYDVQQKDAdDb21w YW55MRQwEgYDVQQLDAtEZXZlbG9wbWVudDEbMBkGA1UEAwwSKi5sb21pZHpmZi5i Z2V0LnJ1MSUwIwYJKoZIhvcNAQkBFhZhZG1pbkBsb21pZHpmZi5iZ2V0LnJ1MB4X DTE2MDMxNTE5Mjg0MloXDTE3MDMxNTE5Mjg0MlowgZsxCzAJBgNVBAYTAlJVMQ8w DQYDVQQIDAZNb3Njb3cxDzANBgNVBAcMBk1vc2NvdzEQMA4GA1UECgwHQ29tcGFu eTEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGzAZBgNVBAMMEioubG9taWR6ZmYuYmdl dC5ydTElMCMGCSqGSIb3DQEJARYWYWRtaW5AbG9taWR6ZmYuYmdldC5ydTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNbV5xHm5PuueYlcoiDS9OAHrfz vne39aYgU1OI1ZnxtPeRHrqu/TXS21oa2nW8NwHapY8zT7yq1n0EmgIoYBJzYnzr yqrkQqMh4ccpueHJSDFfGTXrcbQXfKg22v0NTrm4LsnXS+GkFrC/MwLB+EDX9piR MrLSQ8msqaRwaWXd8OX+3whH4zK4oaFjFyOypuTGrBqRBsYtmNScI1syR8CP3V4s HDvKrwVP59YGlGTMbBHirrqABTd4nK349TJz7uevuVWTTAn53jHtbu1nad1hmBoy elNvLv0NPp8ENeYXqTiAdVkE0Mauw4NFquaZ5ueRrWavR3YLzRS4J6GA/B8CAwEA AaNQME4wHQYDVR0OBBYEFNzJqgwX/UWJp3zJjRTlkUZA+2QNMB8GA1UdIwQYMBaA FNzJqgwX/UWJp3zJjRTlkUZA+2QNMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF BQADggEBAClvWZ9X2kXRpP0rKEgb0NWqnZbSWNq4rgCpQKZPPa+Tn/tj25ryqVUZ h+imTvXw3jq18ztmoWO1xOdLDgOutqBp4Wa2FoWFtmcG0yBGEEfcosQx1fOVHDjb bwtVxYwPHNWjRJerrU6l2WVp+NTKsQvgXg7YkeGJFb5lgPasZqTbfu9oB50j1M2s VfZKHGiMjd9xcFnS0Lx07G5731+sz6uCF+oJt9w17BUecj0kjIyujiGulXvMhXxi mG+Ex4rZThHaV6Ffh1X52jpTKC261Vv7DHwL9HK8KC0BXBRtPwv3Lih00d4IO5iR ioeBSxhjmd2hUVf/kGD7C9rkXnbsou0= -----END CERTIFICATE-----

-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDW1ecR5uT7rnm JXKIg0vTgB638753t/WmIFNTiNWZ8bT3kR66rv010ttaGtp1vDcB2qWPM0+8qtZ9 BJoCKGASc2J868qq5EKjIeHHKbnhyUgxXxk163G0F3yoNtr9DU65uC7J10vhpBaw vzMCwfhA1/aYkTKy0kPJrKmkcGll3fDl/t8IR+MyuKGhYxcjsqbkxqwakQbGLZjU nCNbMkfAj91eLBw7yq8FT+fWBpRkzGwR4q66gAU3eJyt+PUyc+7nr7lVk0wJ+d4x 7W7tZ2ndYZgaMnpTby79DT6fBDXmF6k4gHVZBNDGrsODRarmmebnka1mr0d2C80U uCehgPwfAgMBAAECggEASsWfVtWhmpF43bnfiJiYYS9ckpPchv4GK7ubqRFqkC2P UmJdHJ71k7BM/MPiccXEWBVT4OeG0XOh/N/SAplpjCZVv/KP87DCQKYrQIub9euQ kjUP9S9UqdWDhO7aCpkZVMRGREL/bDHd7XCBGcEcP9VpMSQB/6ezAnHvzFyqOq54 1zhECsDVJ2wJ3SQvRXbPoL2qk0GlSnW8l9f1v8cCgENNnDETequdNcNYEL09z3Eu REXN1T2keO+3GuPnKC+0FZiPdnlqTFZzB392KBbwSTCtLcaZG+lrarh2itrQnAjX bt52Yo6yY8XeLXpn3uy2dqv+YbRp9JJN485mlvgjAQKBgQDkYX5U5AU6EfJpuY5K WmWNMpsUxFQCD3otx01X2aXu9IkH0ac0GZ2FiDNmJUjxca7vpAekJ3Q9UGChxgW6 iH5kPM6GRcT+c7E1JhHXd3j821WhaTLDhDkOZjN/oTRDsOQ9KKRkPOnLdJ5lR8cA NP0CGtGiX4KHel7jQnC0WS/sYQKBgQDa+3LUp0B/fHNA1XCoRh28GAKSOX8vx9s6 594bj/NxLPZnfuXS05oJrHXO7SUtk7j2eX1KY+anyiX7XozycoiKvGLXi/rfrJDC imyJYaGX6VbO/JBxQzRBnQ6O09Ui1u0W/XhS5+HRfb3i1Oaraj+j5dTFNCIOzUxN KaMSuPW4fwKBgDqTStypEzIeskctoXIul0dMyHveExHoOFUPfiXfG/Ea5R6NRk5V l5JNKam0PG440z6BmrgeqnCjcfVsHcIHCivZcLr9oBYHRFc2aXMTIIPyGZdprOx6 uEuaKPE+PnJyJ0gMaYWQHgLh6VJew4qpDI+Co2v7BTaMS1QMkW2gRmthAoGBALf8 IgvHhmpWjqM/cYsAdkUtyyM+Sb1EZs7EN5nixYAmbdShCsmq3bYY/1ZfaygzAGmd w4X4D7iUIHtlgnjFgDFIfKdrRdoeK/Y3xV9b9yAifbwk+dsfws0J/0xDcMT33XW+ exT1HIcd5aeqhzAocdXr6WvTFHZpSR1fyVKWsmVTAoGAOIzN/K8kD0tc2zhXZjeI Kiz0FM6qSQqB6w07U1FUiVMySIy2jVeufH1yMKiTeqiefCf22KJG4EyeSuLvLp/k LVIB5zto0ikC/fMkUCABOHt58Z9H9fxUVyx2ehZC6lz0rH1qU3CvEAr/+Uh8Q6A7 BKbB/h+DsHivna91B0J0XLc= -----END PRIVATE KEY-----

I don’t even have permission to access server directories (where the subdomain is directed). I can only put this kind of certificate datas in the PEM file and then upload this file to site, which administrates the server.

How to get this base64 decoded certificate datas?


#4

If the published above data is not from some test run against staging server, I would recommend to remove it, revoke the certificate and re-generate key/cert.

As for the question - it’s still now clear how do you verify the ownership of that subdomain (considering that you don’t have permissions to access directories there)? Can you add DNS records? How did you do it for the main domain for example?


#5

let me tell you like this. especially if you dont have access to a command line, manual mode is going to be a pain.
honestly in that case you are better with startssl, they may allow just 5 domains but the process is a lot more straight forward and easy.
you may not use wildcards (*) but that’s the same for letsencrypt.