How to get the following certificates

winanjaya · October 2, 2019, 4:15am

Hi All,

We use letsencrypt, how to get the following certificates from our domain:

Root CA
CA Class 1
CA Class 2
CA Class 3
CA Class 4

Root CA SSL
SSL Class 1
SSL Class 2
SSL Class 3
SSL Class 4

mnordhoff · October 2, 2019, 4:19am

Without more context, that doesn’t make sense. Can you provide more information? What software is asking you for that? Does it explain what it means? Can you provide any links?

winanjaya · October 2, 2019, 4:24am

sorry, I don’t understand what you mean?.. what info you want?

our domain is: primteksolusindo.com and we use letsencrypt

mnordhoff · October 2, 2019, 4:25am

What’s a CA Class 1, 2, 3 or 4? What is an SSL Class 1, 2, 3 or 4? What’s the difference between a Root CA and a Root CA SSL? What do you need them for?

winanjaya · October 2, 2019, 4:38am

Hi,
I see this link and I want to follow them, again what we have is only letsencrypt SSL certificate… need advice…

thanks

cpu · October 2, 2019, 3:30pm

I’m still confused by your messages. Can you tell us what you end goal is? If you’re using an ACME client like Certbot get your certificates you don’t need to take any extra steps or manually download any root CA certificates.

danb35 · October 2, 2019, 10:23pm

What about that page makes you think it's an example you should follow?

schoen · October 2, 2019, 11:29pm

A page like that one is mostly beneficial for a certificate authority, not for a regular site that uses the certificate authority’s services.

The approximate equivalent page for Let’s Encrypt is probably

Individual web sites that use Let’s Encrypt services do not have to post this information and gain no benefit from posting it.

winanjaya · October 3, 2019, 1:10am

@danb35,

we are in the progress to launch our digital signature web app, we use Letsencrypt for our domain and we create .pfx based on .pem that generated by Letsencrypt and our app will do digital signing to the uploaded pdf using that .pfx.

The government’s regulation requires us to
inform root CA certificates, chains etc in the website, the link that I gave in my previous message is one of the provider here.

any idea or suggestion?

many thanks in advance

cpu · October 3, 2019, 2:01pm

In this case I think what you're looking for is the documentation page that @schoen linked to: Chain of Trust - Let's Encrypt This page has Let's Encrypt's root and intermediate certificates. If these don't meet your requirement I think you'll have to be more specific about the government's regulations and how they are met.

Good luck!

schoen · October 3, 2019, 7:03pm

Would you be willing to share which country and which regulation that is? I haven't heard of a rule like this anywhere so far, although I know each country's PKI regulations may be different.

hagman · October 6, 2019, 10:23am

This does not sound like a feasible application of Let's Encrypt - or I misunderstand your intentions completely.
It seems that you want to enable a person John Doe to electronically sign a file (e.g., a PDF document) using a private key that has been certified by LE. While you technically can use LE to create such a key for, say, for the DNS name john-doe.yourdomain.example, this would mean that the signature is on behalf of the DNS name john-doe.yourdomain.com, not on behalf of the person John Doe (not even on behalf of the owner of a possibly existing mailbox john-doe@yourdomain.example). As such, it would not fulfill the purpose of a signature: That one can verify that the signing person acknowledges authorship of and/or responsibility for the document content (which might be a contract, for example).
Note that it would be very simple for me to counterfeit the process by doing the same and signing a fake document in the name of said John Doe by using a key I can readily acquire for john-doe.mydomain.example.

Thus for signatures in this sense, additional scrutiny is required. In order to be accepted, you have to essentially become a CA of your own (or a suitable subordinate CA) and employ processes that ensure that certificates you issue have the appropriate properties, i.e., are certified not only for a web server and its DNS name, but for a uniquely identifiable natural person (there could be several John Doe's, couldn't there?); that precautions against abuse are made (e.g., that the certificate needs to be stored on a chip card and can only be used with 2FA); and perhaps a lot more - including scrutiny assessments by the government.

To summarize again, this is not what LE is or even can be for - or I totally misunderstood the intentions.

winanjaya · October 6, 2019, 3:21pm

@hagman
You are absolutely correct that’s what I mean, and yes it is not possible to use LE for this purposes.

Do you have any idea or suggestion to accomplish this?

Thanks

system · November 5, 2019, 3:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Idea Regarding Communication of Root Certificate Authority Client dev	3	1176	December 25, 2017
Help getting Let's encrypt certificate Help	2	127	November 6, 2024
Help with lets encrypt SSL certificate. How to get? Help	3	1006	February 24, 2018
How do I add "letsencrypt" to my hosting? Help	3	567	March 19, 2019
SSL to buy for my website Help	37	970	February 5, 2024

How to get the following certificates

Related topics