Firstly, I think that this is a brilliant application. However, I am super new to web hosting and still have a ton to learn. I have very limited HTTPS configuration knowledge and I am trying hard to change this.
Is it possible/can it be possible in the future to only generate a .crt for a domain and configure the Apache configuration files manually (after generating the .csr and .key using OpenSSL)? I believe that this would greatly help me understand how everything works together.
This is possible indeed. Use βcertonlyβ and ββcsrβ with the official client. You can choose between the βwebrootβ and βmanualβ authenticator.
one thing that might be also pretty intresting if LE could just create just the CSR command to use with your own key because actually csr comamndline tends to be tedious especially when working with SANs.
I use this script to generate a CSR with SAN from private key.
For instance:
β( 12:51:41 )β< /tmp >βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ[ 0 ]β
$ openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -outform PEM -out key.pem
...............................................................................................................................++
....................................................................................................................................................................................................................................................................................................................++
β( 12:51:45 )β< /tmp >βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ[ 0 ]β
$ ./csr.sh key.pem
Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org
Short Hostname (ie. imap big_srv www2): imap
FQDN/CommonName (ie. www.example.com) : imap.example.com
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:smtp.example.com
SubjectAltName: DNS:
# -------------- BEGIN custom openssl.cnf -----
HOME = /home/valentin
oid_section = new_oids
[ new_oids ]
[ req ]
default_days = 730 # how long to certify for
distinguished_name = req_distinguished_name
default_keyfile = /tmp/key.pem
encrypt_key = no
string_mask = nombstr
req_extensions = v3_req # Extensions to add to certificate request
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = imap.example.com
commonName_max = 64
[ v3_req ]
subjectAltName=DNS:smtp.example.com
# -------------- END custom openssl.cnf -----
Running OpenSSL...
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like imap_server.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIEjjCCAnYCAQAwGzEZMBcGA1UEAxMQaW1hcC5leGFtcGxlLmNvbTCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ+ZKFedR4TJSc8b/qgTIcTLomKWV2e2
sEXJ9SuCLKFSQMrjpmyzQEMI3Ca+Qrv23nDoTAN7VfES2mItEQnq5rOioq01vrvS
lVMFLeRP2XqXDL3RsTPyJAXvlex6ywet/pNf9aBg1K63RaWWvX32yfrAW+4SRYHu
ZS2WE3ekBKI8k8tRzqLaPP//2aT3lxDSPq1J1D/78Vr2HPV3zRPrP8IRRcitGB5U
NcxtN+m5aDQJK8S9C65ieLGyMp8hJfX+g1NDDQ/gA8ZZviK9vZndHsVRw8vXbvnm
1c/fSnbY2EM/whaTV+TMR2Da0SEBaYiXp0xbdT6I5yAuB/KAWhLt04EFN/By5rFn
HBGK/x3YlDaB8HEYx68Kc1mT2NbnvtXyfUSQuCCxVMcRJ/2CK4UtMjq2coraDxJO
DB0FcCQqO5Sfna87X4uh/D0UzRNkVasI5LI0II1VFHi1aUQ5rZlzJ4/HvD+YzP4Q
q+9S2/brAzY+5i7vvr6tJbWnuVFp6D3mWsTgO8HbIFBno8ngNcGxS0q+1kH3CipN
FvVaJjI42oZs8odpGrwJH2tUDKcq0YRbyi6QKu5061W2GJYzfxqAKFHuQwb7XWuK
wIPiRQ0rWqqe4ugtKAdxlic0qvHUgx6+1jTG1eT0P4y/I6CJKKUsBYKootc4L3od
yjC2EHyN2AMFAgMBAAGgLjAsBgkqhkiG9w0BCQ4xHzAdMBsGA1UdEQQUMBKCEHNt
dHAuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggIBAEyo34pJMERooSgpz0Fl
GP5GAwRwz+KERxKU9zPoPpX8uUoGSC9k4J/Ng6t55XWIY/YTXWxcr1TudL6nNOSn
AXLqES8MuskqJSzUQEhQ+yaMCefsYCKcZNZdLeEuP0trY+ZlzKsBcvvXQzrhB0q2
LTWDoUJNtxLfQys3cgHdoyH3BPadUD+7efjP+IA31LGGW+IEH0uxQquDw8YuitBA
BYCab1GgZjlT6GKGmE+WEAovIjGpepKRese815Te7Cw/3A70m3jMaQXlf7nKX9e1
oJpzGjZZNpKYBpDmRAHzExRJD+yD9S/vSypw5infDsquS1x2rRh/OtsajoLST1zc
CjS6x1w6u/FIjsJBXVJEQ7iBk4wKUdNJRm2446Vdk0+Sj6vrt2GH2RQmWTuwmYp4
cUS6CJ6c97y0zCsGqt7Ur3CXMkYsFyMnEStYMWVZ+zhEg9z56x0x1NBh3jyBd2Mp
LjHG/5171oTN8YwC/gx5ab/QX5TQRAn2qdJORldqr4wBktdsZoGDAP807oeeYorR
g5igk82DAD8ZjDI7aliKgg6GrtWEWUMO9AhCio/UIhy4Y16S4TZUqUcETzLndF2/
y0aCBB2hyayChI4omqSmlUJmFa3uvBWza3mUcGU3k/sMor5J3OQaaoeWYNAVSOxv
e2RrETeNBR+spK8h9ZusznIF
-----END CERTIFICATE REQUEST-----
That's just part of a small Bash """script""" 'parsing' the arguments to that script. Doesn't parse multiple hostnames yet, but as you can see, generating SAN CSR's from the command line is quite simple.
Also, this is all quite offtopic to the original question...
when you have to create a config and feed that to the openssl script thatβs what the <(cat /etc/ssl/openssl.cnf <(printf does it is tedious and overly complex. also why need to save the cnf (and then in /etc) that is probably overwritten everytime when someone makes a CSR?
so since I am not sure (and I am not really experienced with bash scripting, let me take an uneducated guess. instead of messing with the file, this <printf and so on part instead messes with the catβed output?
but still going the lengths of outputting a config and manipulating the output is in my opinion way too complicatedβ¦
One thing to know about --csr is that letsencrypt renew is not able to renew certificates obtained this way, so you'll need to figure out another approach to renewal for when the certificates expire.