Sign self-signed certificate


A while ago I created a self-signed certificate with this guide (only Steps 1 and 2).
I would like to sign this certificate (a .cer file) with letsencrypt so it is accepted globally. How can I do this? I searched a lot and only found methods to create a new certificate with existing keys. But can I sign my existing certificate with letsencrypt?

The operating system my web server runs on is (include version):
Ubuntu 18.04.01 LTS
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0


Hi @ask_mcc

that can’t work. You have to create a Certificate Signing request, then Letsencrypt can sign the public key.

But you need a public visible, worldwide unique domain name.

Start there:

Then select a client

Perhaps Certbot with the certonly option.


Thanks @JuergenAuer for the quick reply. I use my self-signed certificate in an app. It is in beta phase and I wanted to use a real certificate for going live without changing the certificate (a .cer file) in my app.

I created a new certificate using: sudo certbot certonly --standalone -w certificate/ -d and it created a couple of .pem files: cert.pem, chain.pem, fullchain.pem and privkey.pem

What do I need to do to create a single .cer file for a SSL/TLS Handshake? If I can create a new .cer file, I can simply change it with the existing one in my app (and in my backend)


That simply isn’t possible–a “real certificate” (i.e., one signed by a trusted CA) is going to be completely different from a self-signed cert, because the signatures are part of the cert. There’s no way to apply new signatures without changing the cert.

That depends on what the “single .cer file” contains–there’s no single (or even predominant) meaning for such a file. The data that are typically needed are the end-entity cert, the intermediate cert(s), and the private key for the end-entity cert. Different applications need to see them in different ways–most web servers, for example, want all these in separate files. If your application needs them all together, a simple cat fullchain.pem privkey.pem > certificate.cer would do it.


@danb35 wouldn’t that expose the private key? The .cer will be in an .apk file which can be inspected.


Let’s encrypt certificates are intended to ‘encrypt the web’, in other words internet servers. Embedding a certificate in a phone app (for authentication ???) is NOT an intended use.


Then the private key probably shouldn’t be in that “single .cer file”. You’ll need to determine what information needs to be in that file, because as I said, there’s no single definition for what should be in a file with that extension. The odds are very good that you can create a suitable file using a cert from Let’s Encrypt, but you’ll first need to determine what’s in there.


Ah right, I had to do it like that because it was self-signed. I had to tell the app to accept this specific certificate. Sorry for the confusion.
So when I want to make HTTPS requests from the app to the backend, I simply need to create a certificate with letsencrypt to my domain (which I did with sudo certbot certonly --standalone -w certificate/ -d ) correct?
Do I need to do anything else with the certificate (the .pem files generated by letsencrypt)?


I don’t understand your setup.

Do you have a running website with your own, worldwide uniqued domain name?

And your app must connect your website via https?

If yes, it’s simple: Create a LE certificate with your domain name, install this certificate on your webserver.

The app doesn’t know something about the certificate, because it’s a Letsencrypt certificate.


No, I have an app and a backend server running with jetty (embedded) and a couple of Servlets for RESTful API. One of them is a POST request to upload a file.
I guess need to generate a .jks with a password from one of the .pem files. Then I can initialize my jetty based webserver like this:

Server server = new Server();

ServerConnector connector = new ServerConnector(server);

HttpConfiguration https = new HttpConfiguration();
https.addCustomizer(new SecureRequestCustomizer());

SslContextFactory sslContextFactory = new SslContextFactory();

ServerConnector sslConnector = new ServerConnector(server,
    new SslConnectionFactory(sslContextFactory, "http/1.1"),
    new HttpConnectionFactory(https));

server.setConnectors(new Connector[] { connector, sslConnector });

I generated my jks according to this guide. So maybe it would solve my problem just to generate a .jks file with the files created by LE.