1

I'm trying to generate a wildcard PFX certificate for my domain example.com with Let's Entrypt, then using certbot and finally converting .pem to pfx using OpenSSL. The problem is that it seems the final PFX file doesn't meet security browser requiements and the key doesn't have at least 2048 characters, but this is really strange as Certbot by default works at 2048 bits for RSA keys (already tried forcing to 4096 but I get the same result).

This is the procedure I followed:

  1. from Certbot (installed via Anaconda Python) I ran

    call C:\ProgramData\Anaconda3\Scripts\activate.bat

    certbot certonly --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example@example.com

  2. After, from OpenSSL I ran

    openssl pkcs12 -export -out "C:\Users\administrator.EXAMPLE\Desktop\certificati\EXAMPLE.com.pfx" -inkey "C:\Certbot\live\EXAMPLE.com\privkey.pem" -in "C:\Certbot\live\EXAMPLE.com\fullchain.pem" -password pass:TEST2023!

From Sangfor VDI interface an alert appears when I try to import the certificate and if I test to access the FQDN from Chrome for example, the domain cannot be loaded due to SSL mismatch.

This is what appears when I try to import it

This is what appears if I try to open the fqdn from Google Chrome

Andrea
  • 103
  • 8
  • 1
    What does `openssl x509 -in "C:\Certbot\live\EXAMPLE.com\fullchain.pem" -text -noout` print? – Andrew Henle Feb 14 '23 at 00:54
  • 1
    @AndrewHenle Certificate: Data: Version: 3 (0x2) Serial Number: XXXXXX Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: Feb 14 00:11:38 2023 GMT Not After : May 15 00:11:37 2023 GMT Subject: CN = *.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: XXXXXXXXXXXX ASN1 OID: prime256v1 NIST CURVE: P-256 – Andrea Feb 14 '23 at 01:13
  • 1
    Looks like `certbot` created a 256-bit elliptical curve key instead of a 2048-bit RSA key. `certbot` should have some options for force creation of a 2048-bit RSA key. – Andrew Henle Feb 14 '23 at 01:17
  • I tried rerunning certbot forcing rsa size to 2048, but it still works at 256... `certbot certonly --rsa-key-size 2048 --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example@example.com` – Andrea Feb 14 '23 at 01:26
  • I found the way to change it... It seems adding --key-type rsa as argument it forces it and the output certificate is fine! `certbot certonly --rsa-key-size 2048 --key-type rsa --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example@example.com` – Andrea Feb 14 '23 at 01:41

1 Answers1

4
certbot certonly --rsa-key-size 2048 --key-type rsa --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example@example.com
Andrea
  • 103
  • 8