Request CA certificate


I have generated CSR file and would like to request CA certificate for my app client to be able to communicate with https:// which is also my domain hosted server at linode.
I am beginner handling TLS certificate. How do I obtain this CA certificate for my client app side?

I am new and beginner, therefore need your attention and advise please.
Awaiting your reply.

Follow these instructions.

Edit: actually, it seems like your website already has an SSL certificate. What are you trying to do?

If you want an actual CA certificate (that can issue other certificates), Let's Encrypt won't give you one. That's not part of their mission. You will need to create your own CA if you want to do that.


Ya my website/server https:// already has ssl certificate but im curiuos what's all about this CA certificate I must get in order for it to be installed in my client development app.
Again, my client dev app need to specify local path to this CA certificate so that it can talk with my server via REST APIs.

I already have CSR file which I believe need to be submitted to the CA provider to obtain this CA certificate. Am I in a correct path what should be my next step actually? Curious. Pls support me because i'm really new in this field. It's really confusing and I need guide.

It sounds like your client development app has the ability to use a local CA of some sort, maybe for testing https links?

Obtaining a subca is a serious undertaking, some CAs will sell them somewhere north of $50k but that assumes you comply with auditing requirements.

If you need a ca, a tool like smallstep can create a private one


Can you post the instructions you are following?


No, client's usually use the operating system CA store. If your client doesn't automatically use that then just configure it so it does.

Had you asked this question in the Help forum you would have been asked for more details. If you want more specific advice we need more specific info.

At minimum, we need the operating system and version your client runs on. Any details about your client software would be helpful too.


You can find link below and I am following this tutorial.

Ya you are right. There are built-in cert store available which dedicated only for advanced client microcomputer with OS like raspberry pi and so on. But for my case the client side is a primitive 32-bit microcontroller. I need to specify path to a valid signed certificate as its reference.

1 Like

what kind of microcontoroller you have in mind? if you get mbedtls

if you want to use LE certficiate you'd pin ISRG x1 (and prob your own certificate too, as fallback


You would need to download ISRG Root X1 and ISRG Root X2 to your microcontroller as trusted root, if you would use letsencrypt.


These are two completely very different things:


Is it true?
I downloaded the pem format cert isrg-root-x1-cross-signed.pem and
I tried with simple python to connect with my server like below,

import socket, ssl, pprint

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket(s,
ssl_sock.connect(('', 443))


But here is the error I got in reply,

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate

1 Like

ARM based MCU may sounds nice but mine here is only based on PIC32mx. The code has integration with ssl framework by WOLFSSL. So far I need to test its communication with my server using TLSv1.2 (or 1.3). The only requirement left, it needs the SSL certificate signed by the Certificate Authority (CA) where Let's Encrypt is my choice.

So why do I need certificate_request.csr? Is it really necessary to get that CA certificate?

Thank you I really need guidance from you.

1 Like

Test your code against this site (""); It uses the same chain/trust.

I think there was some confusing on the type of cert you required.

I doubt it.


Owh Thank you so much really apreciate it. I just found, I was actually mistaken downloading the incorrect cert.
The correct link is (The code just work, replace with this cert!)

But how bout the expiry date? Does it mean if this cert to be used my client app can operate forever with this cert without need to aware the expiry?

If I really want to make my app private app to app. How about the generated CSR file? Because It pairs with my generated key which is private to app right. It must hv somethin to do with this CSR file to let the communication really private and comes with expiry date set by the key or the CSR right?

How do I harness/benefit from this CSR file then?

1 Like

You need to rotate the CA cert when it is going to expire, but it would be a decade later...


I'm afraid that after a few good posts you're still not grasping how the webPKI works. Server versus client. End leaf certificates. Certificate chain. Root certificate stores.

I would like to advise you to dive more into how all the things work and mostly to get the terminology correct.


Apology any of my language that cause inconvenience to you perhaps. If I may ask what's the use of the CSR file and how is it related with CA certificate?

None whatsoever in this application.

It isn't.

For more information about CSRs, see:

ACME clients generate CSRs to submit to the CA in order to get the certificate, but that's generally (with the exception of idiotic design decisions in TrueNAS) done behind the scenes with no direct involvement from you. A CSR has nothing at all to do with getting the CA certificate itself.