Sophos UTM & LE Cert Conversion to PKCS#12 for Reverse Proxy Protection

I have a Sophos UTM 9 with web protection enabled. I found an identical topic started by @VWR32NZ very helpful in converting the Lets Encrypt cert into PKCS#12 format. However on Android (Chrome) I was receiving the error: NET::ERR_CERT_AUTHORITY_INVALID and Qualys SSL Labs stated my certificate chain is incomplete.

Adding the -certfile flag fixed this problem for me. Below is my revised statement:

$ sudo openssl pkcs12 -export -out subdomain.example.com.pk12 \
-in /etc/letsencrypt/live/subdomain.example.com/cert.pem \
-certfile /etc/letsencrypt/live/subdomain.example.com/cert.pem \
-inkey /etc/letsencrypt/live/subdomain.example.com/privkey.pem \
-name Cert-subdomain.example.com

I am hardly an expert in certificate management, and don’t know if specifying both intermediary certificates is possible or advantageous. Additional advise from a pro would be much appreciated if warranted.

Thanks for Lets Encrypt, this is the best thing I’ve played with in a long while!

You should also already have that file available as chain.pem in the same place where you found cert.pem (because people need to use it when configuring a server, the CA already provides it when issuing the cert and the client saves a copy!).

Its contents do need to get served somehow; the cert.pem is an end-entity cert (i.e., a cert describing your site), not an intermediate cert describing a CA, so it’s not redundant at all to use both of them.

Thank you, after testing to ensure it works I have edited my original post. I have revised the command to specify cert.pem for both the -in and -certfile arguments which is easier and makes more sense. I’m sorry to say I have a pretty weak understanding of all this, so if the conversion command could be further enhanced or simplified please post your thoughts or PM me and I will edit my post again.

I think you want chain.pem as the -certfile, not cert.pem.

I suppose you mean fullchain.pem instead of chain.pem :wink:

If you’re already passing cert.pem then it might not be necessary to use fullchain.pem (but I haven’t tested this particular command, just responding based on the original post which originally said that using the LE X1 intermediate from the Let’s Encrypt home page made it work – and chain.pem's contents are exactly identical to the LE X1 intermediate).

1 Like

You are right. Forget it, I misread the command op used in first post.