In this blog post I gonna dive into on how to obtain certificates with Let’s Encrypt and convert them with OpenSSL.
Reasons to use certificates from Let’s Encrypt
The reason I use certificates from Let’s Encrypt is for testing purposes, to configure an Exchange Hybrid configuration in your lab for example. Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides certificates for encryption at no charge.
Great, they are free (open source)! The only downside is that they have to be renewed every three months, so that’s why I only use them for testing purposes.
Prerequisites for using Let’s Encrypt and OpenSSL
- An ACME client
- OpenSSL installed
In this blogpost I will use a local Debian VM (without the GNOME experience), with OpenSSL and the ACME client Certbot installed. Which is also recommended by Let’s Encrypy. I connect to my Debian VM over SSH.
Install OpenSSL and Certbot
Before you begin, you need to have sudo privileges on your system.
apt-get install openssl -y
Install Let’s Encrypt (CertBot) with a DNS challenge:
apt-get install certbot -y
Installing the DNS challenge:
wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py chmod +x acme-dns-auth.py
When installed and the script is executable with the chmod commando, edit the Python file on the first line of the script. The first line will be like “#!/usr/bin/env python3”. This is required to ensure that the script uses the latest supported version of Python 3.
Move acme-dns-auth.py into the Certbot Let’s Encrypt directory so that Certbot can load it.
sudo mv acme-dns-auth.py /etc/letsencrypt/
Obtain your first certificate
You’ll need to complete an initial setup and accept the term of conditions of Let’s Encrypt, when using Let’s Encrypt for the first time.
Obtain different types of certification.
Single domain (you can also use a subdomain):
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d yourdomain.com
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d yourdomain.com -d yourdomain2.com -d sub.yourdomain.com
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.yourdomain.com
The output will be a CNAME record, that you need to validate on your provided domain(s).
Output from acme-dns-auth.py: Please add the following CNAME record to your main DNS zone: _acme-challenge.yourdomain.com CNAME xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx.auth.acme-dns.io. Waiting for verification...
When the validation is complete the following output will be prompted.
Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem
You can renew your certificate by running:
It is not recommended to delete the certificate in the letsencrypt/live folder. The best way to delete it, is by running:
Convert the .pem to .crt\.key or.pxf with OpenSSL
First copy the two .pem files to a directory like /tmp.
cp /etc/letsencrypt/live/yourdomain.com/fullchain.pem /tmp cp /etc/letsencrypt/live/yourdomain/privkey.pem /tmp
Convert the .pem files to a .pfx file (you will be prompted to give this file a password):
openssl pkcs12 -inkey /tmp/privkey.pem -in /tmp/fullchain.pem -export -out /tmp/yourcertname.pfx
Convert the .pem files to .crt and .key (private key file) in RSA format:
openssl x509 -in /tmp/fullchain.pem -out /tmp/yourcertname.crt openssl rsa -in /tmp/privkey.pem -out /tmp/yourkeyname.key
Remove the .pem cert and private key from the tmp folder:
rm /tmp/fullchain.pem rm /tmp/privkey.pem
Note: It is very important to be careful where you keep the certificates.
Now you can use the certificates within your Linux server for example in SendMail MTA or your Apache client.
Export certificates to your host OS.
Your Linux VM is accessible with SFTP which has the same port as SSH (port 22). My host machine is running Windows 10 and I use WinSCP as SFTP client.
Let’s go back to the step where you converted the certificate and private key in .pem format to an .pfx file. You want to export this .pfx to host machine, before you do that, you need to change to ownership from root to your username in within the Linux kernel.
chown username /tmp/filename.pfx
Now you can copy and paste the .pfx file to a preferred location. When you’ve done that remove the .pfx file from your temp folder.
Import certificates and using OpenSSL
As mention earlier you can use OpenSSL with a binary that fits your OS, but if you are like me and want to use OpenSSL in the Linux kernel (the official way). You may want to use OpenSSL within this kernel.
Alright then, copy a certification file into the temp folder like an .pfx and run the following commands.
openssl pkcs12 -in /tmp/filename.pfx -nocerts -out /tmp/key.pem
openssl pkcs12 -in /tmp/filename.pfx -clcerts -nokeys -out /tmp/cert.pem
openssl rsa -in /tmp/key.pem -out /tmp/private.key
No you’ve got the certificate as an .pem and the private key as an .key file. You can move those files back into your host machine. You may want to change the .pem format into an .crt format. You can easily change the file extension type.
Please note that you remove everything above the two files, open the files in notepad and check if they only begin with:
-----BEGIN CERTIFICATE----- xxxxx -----END CERTIFICATE-----
Last but not least, remove the .pfx file from your Linux VM.
Lets Encrypt Root & Intermediate Certificate Bundles
You may need to use for some application a file like ca-bundle.crt. You can obtain the Root & Intermediate Certificate bundle from the Let’s Encrypt website.
Just download the active Root and Intermediate Certificate as .pem files and combine those two files together with a notepad and save it as a file like ca-bundle.crt. The file will look like this:
-----BEGIN CERTIFICATE----- xxxxx -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- xxxxx -----END CERTIFICATE-----