I am trying to create a Certificate for a domain which is not manually administered by us but is a Saas service by one of our vendors.
In this case, should I use Lets Encrypt from any machine/EC2 instance to create the certificate? Is there any specific way I should be doing please let me know. (as I found 0 to no references on Saas examples)
Once done my plan is to use this command: sudo certbot certonly --manual -d www.website.com
The recommended way is for the SaaS vendor themselves to manage certificates. That way they can automatically renew the certificates when needed.
If your SaaS provider doesn't support automatically provisioning certificates, and wants you to manually upload a certificate, then you can use certbot in a number of ways. We always recommend having automated renewals, which can be much trickier if you need to upload a new certificate to your SaaS provider each renewal.
Manually issuing a certificate by running certbot and then uploading a certificate will work, if that's your only option.
Thanks for your response @mcpherrinm
I will have to choose the option of managing the certificates ourselves and not depending on Saas vendor.
Would be kind of you if you could please point me to some documentation so that I can achieve this.
Where should I be ideally running this command to generate the certificate? (Any machine/EC2 is fine ?)
As your domain will be pointing to the Saas service you won't be able to use http validation (which is the usual method of proving domain control), you should look at DNS validation instead (where you create a TXT record in your DNS).
What format does your Saas provider require for the certificate files?
I appreciate your response on this @webprofusion.
Whilst I am trying out the DNS manual mode you suggested, I'll let you a background of the scenario.
I am actually trying to find a space to save my Saas Certificate. I am having a certificate issued by Globasign. Since I couldn't find a space, I was ready to create a new Certificate and then save it.
I thought Lets Encrypt would be a good place to store certificates.
Is there a way I can achieve this? (Considering it is Saas and I don't have access to any of the web servers) However, I have a Certificate file and private key.
Thank you for the suggesstions @webprofusion and @Osiris
I did get in touch with Jfrog, and they said "For Artifactory Saas you will not be able to proxy resources that use untrusted (i.e. ,self-signed) certificates"
Before we conclude this, One last question, please.
If I am having (.csr .key .crt ) files, can I atleast store this as a Certificate with Lets Encrypt ?
In a matter of sense, yes. If you retain the download link provided by the ACME server, you could download the certificate again later on. I'm not sure how long though, at some point the server will "forget" the certificate.
However, you could also use certificate transparancy log aggregators such as crt.sh to download the certificate again. Note that those services won't also provide the chain.
And the private key is never known to anyone but yourself, so you'd need to store that yourself anyway.
I think a few of the responses above are missing some of the context you have shared across multiple comments.
LetsEncrypt is not a Certificate Manager, it is a Certificate Authority and a competitor to Globalsign.
The ACME protocol is used to generate a Publicly Trusted (not self-signed) DV (Domain Validated) Certificate automatically, just like you would provision through Globalsign.
LetsEncrypt provides this service for free, but the certificates are meant to be automated so only last for 90 days. Globalsign offers a 365 day certificate, but it is a commercial product that costs $249.
It is 2022, all SAAS vendors should be offering free DV certificates through LetsEncrypt or another vendor. Yours does not.
Your options are:
switch to another vendor
purchase a longer certificate (365days) from a vendor. This could be GlobalSign, but other vendors will charge much less - even as low as $5/year
Purchase a commercial CDN contract with a vendor like CloudFlare that will encrypt the connection between your users and their edge. Cloudflare will allow you to use expired or self-signed certificates to encrypt the connection between your origin server and their network, and force all users to communicate via HTTPS.
Having one foot in the Let's Encrypt ecosystem and the other in Cloudflare's, my preference is for Let's Encrypt certificates behind Cloudflare. If that is not to one's liking, the next best option is to use the Cloudflare Origin CA. I find those preferable to using:
although they can be made to work at the expense of validation.