Managing Non Let's Encrypt Certificates with Certbot


#1

Hi, I have a problem. My client have his certificate installed in cyberneticos.com, a no-dedicated server and without root access.

The certificate is installed using a web-based interface and I only can access to a text like this:

-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAqmhJHef8XAilC0H4aFWtayc
…Some chars here…
----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGIDCCBQigAwIBAgISA/agAIB1g70TJe5
…Some chars here…
-----END CERTIFICATE-----

The destination server is a dedicated server and I have root access, and I want to use certbot to manage the cert, it seems easy and when I install it all seems ok but obviously the cert can’t be generated because it’s already generated to another IP.

Where can I put this text plain certificate to use with certbot?

Thanks in advance.


#2

Hi @samuelsolis,

Certbot doesn’t really have a feature to import a certificate that was generated by other software. In any case, I’m not exactly sure what the benefit of doing so would be. If you think that you can’t obtain new certificates on the machine with Certbot, then having the certificates “managed by” Certbot isn’t so helpful, because Certbot’s main function and use is for obtaining new certificates.

If you can obtain certificates on that machine, it is OK to obtain a fresh, duplicative certificate because it’s valid to have several certificates for the same domain name in existence and in use at the same time. There are rate limits from Let’s Encrypt that restrict how quickly you can request new ones, but overall having several at the same time is no problem.

I would also like to point out that you should usually not post any of the text for a private key on a forum or in another place, even a short excerpt. One of my colleagues a few years ago researched the question of how to reconstruct a complete RSA private key given only some of the bits, and there are techniques that try to achieve this efficiently. That means that revealing only a portion of the private key may compromise its security, and the safest habit by far is to completely refrain from posting any information from the private key file at all.

Fortunately, in this case it happens that the beginning of a PEM-format private key file like this one starts with the public modulus n and public exponent e before any of the private parameters, and so you have actually only revealed some information about the public key rather than information about the private key. :slight_smile: Still, I’d advise everyone to get into the habit of not posting even excerpted or redacted data from private key files.


#3

Hi @samuelsolis

If you are looking for a solution to manage certificates (LetsEncrypt or others) have a look at the options below

https://www.manageengine.com/key-manager/
https://www.css-security.com/software/cms-enterprise-for-pki-operations/

Andrei


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.