Lets Encrypt for Saas vendors

I am trying to create a Certificate for a domain which is not manually administered by us but is a Saas service by one of our vendors.
In this case, should I use Lets Encrypt from any machine/EC2 instance to create the certificate? Is there any specific way I should be doing please let me know. (as I found 0 to no references on Saas examples)
Once done my plan is to use this command: sudo certbot certonly --manual -d www.website.com

Thank you for your input
Akshay Jadhav

1 Like

The recommended way is for the SaaS vendor themselves to manage certificates. That way they can automatically renew the certificates when needed.

If your SaaS provider doesn't support automatically provisioning certificates, and wants you to manually upload a certificate, then you can use certbot in a number of ways. We always recommend having automated renewals, which can be much trickier if you need to upload a new certificate to your SaaS provider each renewal.

Manually issuing a certificate by running certbot and then uploading a certificate will work, if that's your only option.

4 Likes

Thanks for your response @mcpherrinm
I will have to choose the option of managing the certificates ourselves and not depending on Saas vendor.
Would be kind of you if you could please point me to some documentation so that I can achieve this.
Where should I be ideally running this command to generate the certificate? (Any machine/EC2 is fine ?)

Thanks again
Akshay

1 Like

See:
Getting Started - Let's Encrypt (letsencrypt.org)

3 Likes

Thanks for the link @rg305

2 Likes

As your domain will be pointing to the Saas service you won't be able to use http validation (which is the usual method of proving domain control), you should look at DNS validation instead (where you create a TXT record in your DNS).

What format does your Saas provider require for the certificate files?

3 Likes

I appreciate your response on this @webprofusion.
Whilst I am trying out the DNS manual mode you suggested, I'll let you a background of the scenario.

I am actually trying to find a space to save my Saas Certificate. I am having a certificate issued by Globasign. Since I couldn't find a space, I was ready to create a new Certificate and then save it.
I thought Lets Encrypt would be a good place to store certificates.

Is there a way I can achieve this? (Considering it is Saas and I don't have access to any of the web servers) However, I have a Certificate file and private key.

I guess you'd have to ask your SaaS provider if you can use your certificate in the first place?

6 Likes

As @Osiris mentioned, does your Saas provide an option to upload a certificate? If not, there would be no way to use a certificate you have.

7 Likes

Thank you for the suggesstions @webprofusion and @Osiris
I did get in touch with Jfrog, and they said "For Artifactory Saas you will not be able to proxy resources that use untrusted (i.e. ,self-signed) certificates"

Before we conclude this, One last question, please.
If I am having (.csr .key .crt ) files, can I atleast store this as a Certificate with Lets Encrypt ?

Thank you

1 Like

What do you mean by this? "store with Let's Encrypt"? I don't understand..

3 Likes

I meant would "Let Encrypt" provision me to store a certificate? Just like a Certificate manager

In a matter of sense, yes. If you retain the download link provided by the ACME server, you could download the certificate again later on. I'm not sure how long though, at some point the server will "forget" the certificate.

However, you could also use certificate transparancy log aggregators such as crt.sh to download the certificate again. Note that those services won't also provide the chain.

And the private key is never known to anyone but yourself, so you'd need to store that yourself anyway.

4 Likes

This is a bit of a tangent to the thread, but:

At least for the lifetime of the certificate, but not forever.

5 Likes

I think a few of the responses above are missing some of the context you have shared across multiple comments.

LetsEncrypt is not a Certificate Manager, it is a Certificate Authority and a competitor to Globalsign.

The ACME protocol is used to generate a Publicly Trusted (not self-signed) DV (Domain Validated) Certificate automatically, just like you would provision through Globalsign.

LetsEncrypt provides this service for free, but the certificates are meant to be automated so only last for 90 days. Globalsign offers a 365 day certificate, but it is a commercial product that costs $249.

It is 2022, all SAAS vendors should be offering free DV certificates through LetsEncrypt or another vendor. Yours does not.

Your options are:

  1. switch to another vendor
  2. purchase a longer certificate (365days) from a vendor. This could be GlobalSign, but other vendors will charge much less - even as low as $5/year
  3. Purchase a commercial CDN contract with a vendor like CloudFlare that will encrypt the connection between your users and their edge. Cloudflare will allow you to use expired or self-signed certificates to encrypt the connection between your origin server and their network, and force all users to communicate via HTTPS.
7 Likes

That was a thoroughly splendid explanation.

Having one foot in the Let's Encrypt ecosystem and the other in Cloudflare's, my preference is for Let's Encrypt certificates behind Cloudflare. If that is not to one's liking, the next best option is to use the Cloudflare Origin CA. I find those preferable to using:

although they can be made to work at the expense of validation.

4 Likes

For those who don't know what this is, Cloudflare offers long-term Certificates from their own "Cloudflare Origin CA". They are not publicly trusted.

These are available from the control panel, and you can specify what "exceptions" are allowable: e.g must the names matches, can the cert be expired, etc.

3 Likes