Specify Certificate Type (w/ ACME & Certbot)

All.. skipping all the introductory questions, as they are not related to my question. I have been very successful in working with Certbot, the ACME protocol, REST API calls with my CA (InCommon/Sectigo).

We have successfully implemented lots of certificate renewal automation, and are trying to do more.

I am still poking around, but all my searches (in documentation, this forum, and Google) have not turned up anything concrete, so I must be missing something or not asking the right questions.

We have a handful of servers that are FileMaker -- and require that we issue "Comodo Elite SSL Certificates" (which was done by Sectigo, our CA) - as I can generate a CSR and issue the certificate through the web based certificate Web GUI. We want to automate these.

Our CA (https://sectigo.com/) is actually the result of various "mergers" (Comodo, Sectigo, InCommon) that provide a bunch of different certificate types. The "Comodo Elite SSL Certificate" is a specific type of certificate type that is the only type that a FileMaker (by Claris) server will accept. Our CA offers about 20-30 other certificate types (AMT, InCommon, IGFT, EV, etc..)

Is there any way to specify the certificate type when requesting Certbot to generate an "Comodo Elite SSL Certificate"?

Thank you!

1 Like

Hi @jewettg, and welcome to the LE community forum :slight_smile:

Although your question is only about certbot and that has its' own support channel, I will try to help.
See: User Guide — Certbot 1.29.0 documentation
Seach for: key-type and key-size

4 Likes

HA! I knew it! I really appreciate it. I had stumbled across this page in the past, forgot it existed. The Certbot website proper .. really needs to link to that page .. and make it more prominent.

Certbot is just one tool, I mentioned it for familiarity. We also utilize Python with ACME modules and the REST API through our CA. Sorry if this was posted to the wrong channel.

1 Like

What is that exactly and how does it differ from common Let's Encrypt certificates? Do you even want Let's Encrypt certificates or just make Certbot do something on your Sectigo CA?

3 Likes

Our CA (https://sectigo.com/) is actually the result of various "mergers" (Comodo, Sectigo, InCommon) that provide a bunch of different certificate types. The "Comodo Elite SSL Certificate" is a specific type of certificate type that is the only type that a FileMaker (by Claris) server will accept. Our CA offers about 20-30 other certificate types (AMT, InCommon, IGFT, EV, etc..)

I amend my previous.. while "key-type" will allow me to choose rsa and ecdsa, it does not do exactly what I thought .. I was excited that maybe you gave me my solution! :wink:

I have still not any clue what makes these certificates so "special".. Could you please explain it to me in the most dumb manner? I'm not an IT specialist :wink:

Also, I'm still not clear what you're asking exactly. Do you require Certbot to generate a specific CSR? If so, what makes this CSR so special? (Related to my first question obviously.)

3 Likes

That seems like a very unusual restriction for software to implement, and it directly contradicts their own documentation:

Any SSL certificate can be used with FileMaker Server as long as the corresponding intermediate certificates are imported as well.

7 Likes

Are you saying that you work for Sectigo, and are trying to figure out the standard way of offering different certificate "types" to different users (where it's still not clear to me exactly what a "type" is, but maybe a specific extended key usage or the like), so that you can have your users configure which type of certificate they want? If so, the easiest thing may be to offer these different types at different ACME directory endpoints.

6 Likes

I completely agree -- however, years of troubleshooting and working with the product, their technical support, we have not found a way to implement "...Any SSL certificate .."

Then you should ask Sectigo how to get their fancy cert.

5 Likes

Your repost is in exactly the same channel, so my suggestion is to revert your edit and restore your initial post and close your duplicate thread.

2 Likes

I'm sorry, but how is this not a duplicate with your previous thread? :slight_smile:

2 Likes

If you're asking about creating a cert using ACME from a different CA, that CA would be your point of contact for this question; this is not a support forum for Sectigo. But as I commented in your other thread, of which this appears to be a duplicate, this belief contradicts Claris' docs:

5 Likes

[merged both topics]

4 Likes

Peter, no. I do not work for Sectigo. I work for UT-Austin in Texas. We are just customers of that CA.
Maybe I am not asking the right questions! I have updated the original topic .. listing what these certificate types are.

The available certificate types are:
AMT Multi-Domain SSL Certificate
AMT SSL Certificate
AMT Wildcard SSL Certificate
Comodo Elite SSL Certificate (FileMaker) (SHA-2)
EV Anchor certificate
EV Anchor Certificate
EV Multidomain certificate
EV SSL certificate
Extended Validation Multi Domain SSL
Extended Validation SSL Certificate
IGTF Multi Domain
IGTF Server Cert
InCommon ECC
InCommon ECC Multi Domain
InCommon ECC Wildcard
InCommon Multi Domain SSL (SHA-2)
InCommon SSL (SHA-2)
InCommon SSL (SHA-2) (InCommon level)
Incommon SSL (Short Life)
InCommon Unified Communications Certificate (SHA-2)
InCommon Wildcard SSL Certificate (SHA-2)

I can request a specific certificate type via REST API, I was really hoping to do this via the ACME protocol (by the way of Certbot or using other methods that utilize the ACME protocol: Python, F5, etc..)

Thank you.

1 Like

Simple: Put the whole thing in a "DMZ" - behind a secure (reverse) proxy!

4 Likes

Does your CA even have an ACME endpoint? If not, ACME is out of the question obviously. Certbot is an ACME client (well, a client using the acme library) and cannot communicate using REST.

Let's Encrypt only offers DV certificates and not any of the "certificate types" (I still have NO CLUE WHAT SO EVER what those "certificate types" actually entail...).

So I'm pretty sure this Community is not the right place for your question at all. This is the Let's Encrypt support Community primarily and we do answer generic TLS/ACME client questions, but my guess is your question is WAY out of the ball park of this Community due to the lack of actual ACME usage or inability to use Certbot.

Now, the above is obviously incorrect if you're telling me Sectigo can issue any of those fancy certificate using an ACME endpoint. Then we might talk a little bit more about Certbot, maybe.

7 Likes

It is next on the list, however since the question was on the capabilities or possibilities within CertBot or the ACME protocol.. I came to the source forum. I am going to dig into the documentation some more.. so I appreciate your responses.

1 Like