Required CA signed certificates for one of the desktop based application

My domain is: local PC or cloud VM

I ran this command: command for generating self signed certificates using openssl tool

It produced this output: client certifcates, private key in .pem format

My web server is (include version): It is not a web server but OPCUA server which works over tcp protocol (opc.tcp://machine-name:48010)

The operating system my web server runs on is (include version): Windows 10 enterprise

My hosting provider, if applicable, is: Not a web server and

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Note : we use self signed certificates for secure connection but want to try CA signed certificates to make it production ready.

It requires

  • Client certificates (.pem)
  • private key file (.pem)
  • password

The application uses client-server model over opc.tcp protocol for the communication.

Hi @pradeipk, and welcome to the LE community forum :slight_smile:

The first step is to choose an ACME client that works within your environment.
To that end:
If Internet HTTP [port 80] requests can't reach [nor can be made to reach] your Windows system, then you may be limited to DNS-01 authentication.
[hopefully HTTP can be made to reach it]
If so, you can use any Windows ACME client and run it in standalone mode to obtain the cert locally.
If not, and seeing as the domain is what it is, you may run into a bit of trouble trying to add TXT records in that DNS zone to validate the DNS-01 challenge.

The (first) first step (to complete certificate automation) is to ensure that the HTTP challenge requests can reach your server.


The client does not use http/https as protocol.

Listen closely:
You can use the cert for whatever you want.
The "client" I speak of is the ACME client.
[the one the gets and renews the certs for you]

The one that will provide you with:


Also, if the cert must be a wildcard, then you will be required to use DNS-01 authentication.
OR, since you've updated the "domain" to:

If the "local PC" can't be made to be reached via HTTP over the Internet OR it requires a wildcard cert, then:
You must obtain said cert via DNS-01 authentication.


Acquiring a certificate and using it are two different things. You can use a domain validated certificate for anything with a fully qualified domain name (e.g. it doesn't have to be a website or a web server. Your service will have instructions on how to apply the certificate once you have it.

For ACME (Let's Encrypt) certificates you will likely need to use DNS validation to order your certificate as your host name will not correspond to a public web server.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.