References

• RSA vs. DSA for SSH authentication keys
• RSA Key Sizes: 2048 or 4096 bits?
• How To Secure Apache with Let’s Encrypt on Debian 9
• Importing LetsEncrypt into Java and Glassfish
• How to install a SSL certificate on GlassFish

Difference between the certificate files

• .key is the private key. This is accessible the key owner and no one else.
• .csr is the certificate request. This is a request for a certificate authority to sign the key. (The key itself is not included.)
• .crt is the certificate produced by the certificate authority that verifies the authenticity of the key. (The key itself is not included.) This is given to other parties, e.g. HTTPS client.
• .pem is a text-based container using base-64 encoding. It could be any of the above files.
  Copy

  1 2 3

  -----BEGIN EXAMPLE----- ... -----END EXAMPLE-----

• .p12 is a PKCS12 file, which is a container format usually used to combine the private key and certificate.

Note that there isn’t only one extension for the certificate produced by the certificate authority. For example you may see certificates with either the .crt or a .pem extension.

Commands

List

1

$ sudo certbot certificates

Delete

1
2
3
4

#delete certbot certificate
$ sudo certbot delete
#delete certbot certificate by domain name
$ sudo certbot delete --cert-name example.com

When deleting SSL certificates, it’s not about deleting merely one file manually. You would need to go through at least the following directories and delete the files associated with the domain name.

• /etc/letsencrypt/archive
• /etc/letsencrypt/live
• /etc/letsencrypt/renewal

Manual SSL generation with preferred-challenges dns

• Let’s Encrypt for GitLab Pages
• Tutorial: Securing your GitLab Pages with TLS and Let’s Encrypt

1

$ certbot certonly --manual --preferred-challenges dns -d domain.tld -d www.domain.tld --config-dir . --logs-dir . --work-dir .

• Deploy a DNS TXT record under the name _acme-challenge.domain.tld
• Deploy a DNS TXT record under the name _acme-challenge.www.domain.tld

How can I install a free SSL certificate using let’s encrypt?

You can get an SSL certificate for free via Let’s Encrypt. Here is how you do it using certbot:

1
2
3
4

curl https://dl.eff.org/certbot-auto > /usr/local/bin/certbot-auto
chmod a+x /usr/local/bin/certbot-auto

certbot-auto certonly --webroot --webroot-path /opt/openproject/public -d openproject.mydomain.com

This requires your OpenProject server to be available from the Internet on port 443 or 80. If this works the certificate (cert.pem) and private key (privkey.pem) will be created under /etc/letsencrypt/live/openproject.mydomain.com/. Configure these for OpenProject to use by running openproject reconfigure and choosing yes when the wizard asks for SSL.

Now this Let’s Encryt certificate is only valid for 90 days. To renew it automatically all you have to do is to add the following entry to your crontab (run crontab -e):

1

0 1 * * * certbot-auto renew --quiet --post-hook "service apache2 restart"

This will execute certbot renew every day at 1am. The command checks if the certificate is expired and renews it if that is the case. The web server is restarted in a post hook in order for it to pick up the new certificate.