Sophos UTM & LE Cert Conversion to PKCS#12 for Reverse Proxy Protection


I have a Sophos UTM 9 with web protection enabled. I found an identical topic started by @VWR32NZ very helpful in converting the Lets Encrypt cert into PKCS#12 format. However on Android (Chrome) I was receiving the error: NET::ERR_CERT_AUTHORITY_INVALID and Qualys SSL Labs stated my certificate chain is incomplete.

Adding the -certfile flag fixed this problem for me. Below is my revised statement:

$ sudo openssl pkcs12 -export -out \
-in /etc/letsencrypt/live/ \
-certfile /etc/letsencrypt/live/ \
-inkey /etc/letsencrypt/live/ \

I am hardly an expert in certificate management, and don’t know if specifying both intermediary certificates is possible or advantageous. Additional advise from a pro would be much appreciated if warranted.

Thanks for Lets Encrypt, this is the best thing I’ve played with in a long while!


You should also already have that file available as chain.pem in the same place where you found cert.pem (because people need to use it when configuring a server, the CA already provides it when issuing the cert and the client saves a copy!).

Its contents do need to get served somehow; the cert.pem is an end-entity cert (i.e., a cert describing your site), not an intermediate cert describing a CA, so it’s not redundant at all to use both of them.


Thank you, after testing to ensure it works I have edited my original post. I have revised the command to specify cert.pem for both the -in and -certfile arguments which is easier and makes more sense. I’m sorry to say I have a pretty weak understanding of all this, so if the conversion command could be further enhanced or simplified please post your thoughts or PM me and I will edit my post again.


I think you want chain.pem as the -certfile, not cert.pem.


I suppose you mean fullchain.pem instead of chain.pem :wink:


If you’re already passing cert.pem then it might not be necessary to use fullchain.pem (but I haven’t tested this particular command, just responding based on the original post which originally said that using the LE X1 intermediate from the Let’s Encrypt home page made it work – and chain.pem's contents are exactly identical to the LE X1 intermediate).


You are right. Forget it, I misread the command op used in first post.