PFX file needed, Pantheon host cannot export/create?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.modularservices.com

I ran this command: N/A

It produced this output: N/A

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: pantheon.io

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Pantheon control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Unknown.

Hello everyone!

Pantheon hosts our www.modularservices.com and subdomains, secured by Let's Encrypt. All working here. Problem is, we need a PFX file for a subdomain that won't be hosted on the Pantheon servers. Pantheon is unable to provide a PFX file. How can I create a PFX file without access to the private key?

Pantheon will allow me to purchase a Gold Support plan to allow a installation of a custom wildcard SSL. I can generate the PFX if I supply the wildcard SSL, but it comes at a hefty annual price for their Gold level support which we don't need. It also isn't a "Custom SSL." It is securing the same domain and subdomains currently protected by Let's Encrypt. I just need a PFX file for the other host.

Is it possible to generate a PFX key with Pantheon being the host of our domain?

Any help is greatly appreciated!

If this won't be hosted on Pantheon's servers, then they don't need to be involved in this at all.

You can use the HTTP-01 challenge on the new domain. If you have control over DNS, you can also use the DNS-01 challenge.

IMHO it would be easier to do run the DNS-01 challenge from within your office, then convert the PEM files to PFX. That could be scripted, as could deploying it to the new server. I don't know of any clients that can do PFX conversion natively. Perhaps there are.

If you use DNS-01 authentication, you should either run it from within your office OR delegate the acme_challenge record to another DNS system you can control (like acme-dns), as there are security implications for storing DNS API Keys on a server.

Thanks for the reply jvanasco!

Forgive my ignorance, this is outside my wheelhouse. However, I will reach out to the 3rd party host and see if they can use the HTTP-01 challenge. I DO have control over DNS via networksolutions.

Just had a call with Pantheon and we discussed purchasing a cert for our subdomain from a CA, generating the PFX file and providing it to the 3rd party host.

It would be great to not spend any more on certs and have it automated.

Ask them is that panel can obtain free LE certificates.

@DaveMSC Just to clarify, that new subdomain, to whom does the IP address of that subdomain "point"? You said a hosting provider other than "Pantheon", right? What kind of hosting do you have for this new subdomain? A VPS? Or shared hosting? What is it?

That Pantheon Control Panel is probably just for the "main" domain/"main" subdomains, which are not discussed currently. If I understand correctly, this "new" subdomain is not within the reach of Pantheon, although not every is yet clear.

And why do you need a PFX file?
[those are typically used by Windows systems]

@Osiris Not sure of the IP just yet, the host will be Chameleon Power. No idea if a VPS, shared hosting unfortunately. All I know is they are hosting the subdomain and I have a CNAME entry pointing to them.

Also, Pantheon CP is just for the main domain, correct. The new domain will not be within reach of Pantheon.

@rg305 the host of the new subdomain requires the PFX file.

A good hoster would be perfectly able to get a certificate themselves... It's the year 2023 and Let's Encrypt has been around since 20165. Not sure what hosting providers are trying to do if they're not yet capable issuing Let's Encrypt certificates..

Then we would need a lot more information about that host before we can make an educated recommendation.

So far, you only told us some of what it isn't.

Excuse my ignorance, I'm just giving the limited information I have at this time.

I'm reaching out to the host for information.

So, a few things:

1- If you don't have in-house tech abilities, it might be easiest to get a full year SSL Certificate from a commercial provider for the new subdomain. This will only be about $5 and you only have to do this once a year. Another option is to use a CDN, like Cloudflare, for $20/month, to turn http traffic into HTTPS. [You install a long-term untrusted Cloudflare certificate on the Chameleon server, then Cloudflare re-encrypts with a publicly trusted certificate at their edge]

2- LetsEncrypt certs are for 90 days – so you'd either need in-house tech to create an automated process, or to do this manually every 2 months.

Three ways this could be handled:

1. Chameleon uses HTTP-01 challenge to get/manage the certificate for you. You don't do anything. Most SAAS/PAAS system do this.
2. Chameleon redirects the acme-challenge to a system you control, so you can get the cert via HTTP-01 and install on Chameleon every 2 months
3. You obtain a cert via DNS-01 and install on Chameleon every 2 months

Oh, here is a link to the commands to transform the standard PEM files into PFX:

Assuming this is a DV cert, OV isn't necessary?

I figured this was the case, thanks for confirming.

This is the way, I've asked Chameleon if this is possible.

Exactly. LetsEncrypts are DV too.

The browser/client industry has basically moved to "DV is more than enough" and the overall tech industry considers OV/EV unnecessary. Once upon a time, EV and OV were displayed differently than DV - now it's all the same.

This is the way, I've asked Chameleon if this is possible.

If they can't do this... spend the $5 on a DV cert and tell Chameleon to post here for help on how to enable this for their clients in the future.

Will do!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.