Need a Dedicated Root CA with Public/Private Key Pair for Mutual TLS Authentication


  1. I am using nginx webserver.

  2. I create a Sever and Client CSRs

  3. I sign both CSRs with Dedicated Lets encrypt Root CA's cert and key, then generate server.crt and client.crt

  4. Convert client.crt to PFX client.pfx (For browser usage)

Nginx Config for Ref,

ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate /etc/ssl/selfsigned/server.crt;
ssl_certificate_key /etc/ssl/selfsigned/server.key;
ssl_client_certificate /etc/ssl/selfsigned/dedicatedletsencryptCA.crt;
ssl_verify_client on;

Note : When I am accessing my server resource , I need to authenticate with my client certificate and after authentication I need a green lock on my browser without any browser error or exceptions.

Kindly help.

*Will lets encrypt provide Dedicated Root CA with Public/Private Key Pair ?

I'm not entirely sure what you mean by that, could you perhaps elaborate for dumb people like myself?


No. Let's Encrypt does not issue certificates for that purpose. You will need to manage your own private certificate authority for mTLS .


As @linkp state that is not what Let's Encrypt does.
Let’s Encrypt offers Domain Validation (DV) certificates.


How is that possible?
If anyone else ever has the LE Root CA cert and key, it would be a very bad thing.

That said, LE doesn't provide certs that can sign other certs.


Let's Encrypt does not provide dedicated roots. You'll have to either operate your own CA for this, or use a commercial service to host it for you.

You could use regular Let's Encrypt certificates as client certs, but I believe nginx's built-in support for restricting client certs is limited to the $ssl_client_fingerprint variable, which means you'd need to frequently update it each time a new certificate is issued. You have to use other authentication options to reasonably do this.


Being I'm the process of trying to setting up root CA. The link "Domain Validation (DV) certificates" (@Bruce5051) explicitly states what Let's Encrypt "does". It does not explicitly state what Let's Encrypt does not do. If it did this would save a few people a pile of time fussing with something that is not going to work. I suppose you can say it's implied.

I'm glad I found this post, so now I can stop wasting my time.
I will use Let's Encrypt when my web site goes live.

@RedSLRoadster seems they do state "We do not offer Organization Validation (OV) or Extended Validation (EV) primarily because we cannot automate issuance for those types of certificates." From that link.


"Need a Dedicated Root CA with Public/Private Key Pair for Mutual TLS Authentication" would seem to imply that you wouldn't need LE service.
If your created certifices need to be accepted at large it seem you need to have your CA added to the Root Anchor Trusts of the top browsers and OSes.


Do you have any idea how long that list would be?

  • it doesn't remove stains
  • it can't be used as a doorstop
  • it shouldn't be ingested [not to be used as a food additive]
  • it won't cure bladness/nor any physical ailments
  • it can't be used as an actual license to do anything anywhere by anyone
  • it won't float [do not use as a life preserver]
  • do not use if allergic to any of its' ingredients
  • may impede normal packet speeds
  • use only as directed

I'm sure I've missed a few hundred thousand other things it can't do.


Please try to remain civil here, folks. This is a service routinely offered by other CAs. There's no need to be snarky here just because Let's Encrypt doesn't offer it.