Only generate .crt


#1

Firstly, I think that this is a brilliant application. However, I am super new to web hosting and still have a ton to learn. I have very limited HTTPS configuration knowledge and I am trying hard to change this.

Is it possible/can it be possible in the future to only generate a .crt for a domain and configure the Apache configuration files manually (after generating the .csr and .key using OpenSSL)? I believe that this would greatly help me understand how everything works together.

Thanks for reading.

Respectfully,
Robert J.


#2

This is possible indeed. Use β€˜certonly’ and β€˜β€“csr’ with the official client. You can choose between the β€˜webroot’ and β€˜manual’ authenticator.


#3

Thanks for the quick reply!

I’m going to look into doing this first thing in the morning.


#4

one thing that might be also pretty intresting if LE could just create just the CSR command to use with your own key because actually csr comamndline tends to be tedious especially when working with SANs.


#5

I use this script to generate a CSR with SAN from private key.

For instance:

─( 12:51:41 )─< /tmp >─────────────────────────────────────────────────────────────────────────────[ 0 ]─
 $ openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -outform PEM -out key.pem
...............................................................................................................................++
....................................................................................................................................................................................................................................................................................................................++
─( 12:51:45 )─< /tmp >─────────────────────────────────────────────────────────────────────────────[ 0 ]─
 $ ./csr.sh key.pem 
Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org

Short Hostname (ie. imap big_srv www2): imap
FQDN/CommonName (ie. www.example.com) : imap.example.com
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:smtp.example.com
SubjectAltName: DNS:
# -------------- BEGIN custom openssl.cnf -----
 HOME                    = /home/valentin
 oid_section             = new_oids
 [ new_oids ]
 [ req ]
 default_days            = 730            # how long to certify for
 distinguished_name      = req_distinguished_name
 default_keyfile         = /tmp/key.pem
 encrypt_key             = no
 string_mask = nombstr
req_extensions = v3_req # Extensions to add to certificate request
 [ req_distinguished_name ]
 commonName              = Common Name (eg, YOUR name)
 commonName_default      = imap.example.com
 commonName_max          = 64
 [ v3_req ]
subjectAltName=DNS:smtp.example.com
# -------------- END custom openssl.cnf -----
Running OpenSSL...
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like imap_server.pem

-----BEGIN CERTIFICATE REQUEST-----
MIIEjjCCAnYCAQAwGzEZMBcGA1UEAxMQaW1hcC5leGFtcGxlLmNvbTCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ+ZKFedR4TJSc8b/qgTIcTLomKWV2e2
sEXJ9SuCLKFSQMrjpmyzQEMI3Ca+Qrv23nDoTAN7VfES2mItEQnq5rOioq01vrvS
lVMFLeRP2XqXDL3RsTPyJAXvlex6ywet/pNf9aBg1K63RaWWvX32yfrAW+4SRYHu
ZS2WE3ekBKI8k8tRzqLaPP//2aT3lxDSPq1J1D/78Vr2HPV3zRPrP8IRRcitGB5U
NcxtN+m5aDQJK8S9C65ieLGyMp8hJfX+g1NDDQ/gA8ZZviK9vZndHsVRw8vXbvnm
1c/fSnbY2EM/whaTV+TMR2Da0SEBaYiXp0xbdT6I5yAuB/KAWhLt04EFN/By5rFn
HBGK/x3YlDaB8HEYx68Kc1mT2NbnvtXyfUSQuCCxVMcRJ/2CK4UtMjq2coraDxJO
DB0FcCQqO5Sfna87X4uh/D0UzRNkVasI5LI0II1VFHi1aUQ5rZlzJ4/HvD+YzP4Q
q+9S2/brAzY+5i7vvr6tJbWnuVFp6D3mWsTgO8HbIFBno8ngNcGxS0q+1kH3CipN
FvVaJjI42oZs8odpGrwJH2tUDKcq0YRbyi6QKu5061W2GJYzfxqAKFHuQwb7XWuK
wIPiRQ0rWqqe4ugtKAdxlic0qvHUgx6+1jTG1eT0P4y/I6CJKKUsBYKootc4L3od
yjC2EHyN2AMFAgMBAAGgLjAsBgkqhkiG9w0BCQ4xHzAdMBsGA1UdEQQUMBKCEHNt
dHAuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggIBAEyo34pJMERooSgpz0Fl
GP5GAwRwz+KERxKU9zPoPpX8uUoGSC9k4J/Ng6t55XWIY/YTXWxcr1TudL6nNOSn
AXLqES8MuskqJSzUQEhQ+yaMCefsYCKcZNZdLeEuP0trY+ZlzKsBcvvXQzrhB0q2
LTWDoUJNtxLfQys3cgHdoyH3BPadUD+7efjP+IA31LGGW+IEH0uxQquDw8YuitBA
BYCab1GgZjlT6GKGmE+WEAovIjGpepKRese815Te7Cw/3A70m3jMaQXlf7nKX9e1
oJpzGjZZNpKYBpDmRAHzExRJD+yD9S/vSypw5infDsquS1x2rRh/OtsajoLST1zc
CjS6x1w6u/FIjsJBXVJEQ7iBk4wKUdNJRm2446Vdk0+Sj6vrt2GH2RQmWTuwmYp4
cUS6CJ6c97y0zCsGqt7Ur3CXMkYsFyMnEStYMWVZ+zhEg9z56x0x1NBh3jyBd2Mp
LjHG/5171oTN8YwC/gx5ab/QX5TQRAn2qdJORldqr4wBktdsZoGDAP807oeeYorR
g5igk82DAD8ZjDI7aliKgg6GrtWEWUMO9AhCio/UIhy4Y16S4TZUqUcETzLndF2/
y0aCBB2hyayChI4omqSmlUJmFa3uvBWza3mUcGU3k/sMor5J3OQaaoeWYNAVSOxv
e2RrETeNBR+spK8h9ZusznIF
-----END CERTIFICATE REQUEST-----

The crs is in ssl.csr in the current directory


#6

Yes, very tedious:

openssl req -new -sha256 -key ${PRIVKEY} -subj "/CN=${1}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${1}")) -out ${CSR}

That’s just part of a small Bash β€œβ€β€œscript”"" β€˜parsing’ the arguments to that script. Doesn’t parse multiple hostnames yet, but as you can see, generating SAN CSR’s from the command line is quite simple.

Also, this is all quite offtopic to the original question…


#7

when you have to create a config and feed that to the openssl script that’s what the <(cat /etc/ssl/openssl.cnf <(printf does it is tedious and overly complex. also why need to save the cnf (and then in /etc) that is probably overwritten everytime when someone makes a CSR?


#8

It’s just the default OpenSSL config, nothing special… And it’s not written to, just read.


#9

doesnt the <printf part write into the config?


#10

No, it doesn’t.Β 


#11

so since I am not sure (and I am not really experienced with bash scripting, let me take an uneducated guess. instead of messing with the file, this <printf and so on part instead messes with the cat’ed output?

but still going the lengths of outputting a config and manipulating the output is in my opinion way too complicated…


#12

It puts the OpenSSL config Γ‘nd the sprintf-part into an anonymous named pipe and this is the input for the openssl command.

Well, I don’t think generating CSR’s is a job for the Let’s Encrypt client, but you can always make a Pull Request to add the feature to it…


#13

One thing to know about --csr is that letsencrypt renew is not able to renew certificates obtained this way, so you’ll need to figure out another approach to renewal for when the certificates expire.


#14

an intresting idea, since CSRs are not time limited would be to just store the csr for a given cert and repush that.


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.