Trying to get a cert for Win SBS 2008 using sslforfree


Please fill out the fields below so we can help you better.

My domain

I ran this command:n/a

It produced this output:Certificate signature failed. If you supplied your own CSR make sure the domains on it match what you put on SSLForFree. If there is a rate limiting error at the end of this paragraph certificates per Domain is currently 5 per 7 days. Try asking Lets Encrypt to increase the limit or wait 7 days. Rate limits should increase in the near future. { “type”: “urn:acme:error:malformed”, “detail”: “Error parsing certificate request: asn1: syntax error: sequence truncated”, “status”: 400 }

My operating system is (include version):Windows SBS 2008

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I’m trying to create a certificate using a certificate request generated by the Win 2008 Certificate Wizard.

  1. go to sslforffree
  2. verify I control domain by adding a TXT record
  3. in Windows Cert Wizard, generate a certificate request for, creates .txt file.
  4. at sslforfree, check box “I have my own CSR”
  5. paste in contents of .txt file with request (note not converting to win std CR+LF at end of each line
  6. get above error

Any thoughts? Anyone else generate a cert from a windows-generated CSR? Should I just trim all LFs, so the CSR is a single line?


Hi @bobkoure,

Maybe you could trim CRs but not LFs, because Unix text files use LF as a line separator where Windows uses CRLF.

If you’d like to post the CSR here, maybe we can figure out what’s the trouble with it.


hi @schoen

you are absolutely on the right track


Review this article:

I came across a similar issue when trying to use CSRs from windows.

I usually run them through Openssl to clean them out.

The article also outlines some differences i Spotted and has some recomendations on how to create effective CSRs in windows.

Windows add some funny ASN1 extensions which letsencrypt clients don’t like



Hi @ashaw021
On first perusal of that article, I converted my CRR ( CRLFs to LFs,removed ‘NEW’ from header and footer)
I am wading through that article now - but am unclear as to how I might use openssl to clean it out.
On the off chance it might move the conversation forward, here is the CSR I am submitting


I am taking notes, and, assuming I get this working, would be glad to write up a how-to for other poor Windows sods running into the same issue.


Hi @bobkoure,

I ran the CSR through OpenSSL (openssl req) and it was unchanged, so that approach won’t help in this case, though it was worth a try!

I’m not sure of the specific reason that Let’s Encrypt doesn’t like that CSR, but it definitely has several things that Let’s Encrypt wouldn’t be willing to include in a certificate, and probably at least one that would cause the CSR to be rejected.

  • The CSR mentions a city, state, location, organization, and organizational unit, but Let’s Encrypt can’t verify any of this information, so it won’t include it in a certificate
  • There are 3 AuthentiCode-related attributes included in the cert, but Let’s Encrypt never issues code-signing certs (I think it’s about 70% likely that it’s the presence of these attributes which is causing the parsing failure)
  • One of the requested subject names is DNS:SERVER.afa.local, but no publicly-trusted CA is permitted to issue for .local names anymore
  • The CSR was signed with sha1WithRSAEncryption (an obsolete algorithm), though I’m not sure Let’s Encrypt rejects CSRs that use this algorithm

You can usually re-use a CSR from another CA with Let’s Encrypt, and most extraneous information will be ignored; in this case I would say that trying to re-use a CSR that was used to request code-signing certs is probably causing trouble, and it would be best to generate a completely new CSR instead, especially omitting both the AuthentiCode attributes and the request for the .local name. You should be able to keep using the same public and private keys, if you want.


hi @bobkoure

have a look at the ZeroSSL client

This client is usually the easiest way to start with as you can paste your domain name in and it will generate the CSR for you

when you are more confident there are other ways of generating the CSR

I use certreq utility personally for several reasons

Creating a CSR with Certreq

Reviewing the documentation here: we can see that to use certreq we need to specify a configuration file and use the following syntax.

certreq -New .\certreq_config.txt

The contents which work the best for certreq_config.txt are below


Subject = “CN=”

Exportable = TRUE

KeyLength = 4096

KeySpec = 1

MachineKeySet = TRUE

SuppressDefaults = True

SMIME = false

RequestType= PKCS10

Some explanation for configuration:

Exportable=TRUE. Allows the private key (stored in Microsoft Store) to be exported. You need this to be able to export the certificate and key in PFX format.

SuppressDefaults = True - stops certreq adding certain Microsoft Extension to CSR (e.g. name of request machine) which can break the process

SMIME = false - Stops certreq adding certain extensions to the CSR which can break the process

RequestType= PKCS10 - forces certreq to format the CSR in a PCKS10 format.

If everything works well we can use MMC and the Certificate Snap-In we can confirm a pending certificate request.

You can also use openssl to generate your CSRs

out of interest are you a video guy or a article guy?

I am thinking of doing a youtube series on windows and letsencrypt



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.