How to import SSL certs

wschwab · July 27, 2020, 12:45am

Hi! I usually self-host a website, so I have SSL certs from Let’s Encrypt already. I’m having a pile of problems so I was going to use Netlify. I see the ‘import cert’ options, but I’m confused about how to properly import my certs. Here’s the question in a bit more detail:

Netlify is asking for three things: PEM formatted certs, a private key, and a CA cert chain. I see these files on my machine, but there’s 3 for each one (e.g. cert1.pem, cert2.pem, cert3.pem). Am I supposed to paste in the output at all? Pasting a private key in plaintext seems scary. Also, how am I supposed to paste it in, if that is indeed what I’m supposed to do? Take the content of all three and copy-paste it in? Do I leave in the BEGIN MESSAGE header (and also the footer)?

Thanks!

fool · April 22, 2020, 12:42am

Hi there,

What we are looking for is:

a single pem file for a certificate. You’d need to request ONE certificate for ALL hostnames you’ll use on any netlify site. We do not have any support for >1 certificate per site.
for the CA chain, you can concatenate them - it would have multiple breaks like this:

-----BEGIN CERTIFICATE-----
content of your domain certificate
-----END CERTIFICATE-----
...
-----BEGIN CERTIFICATE-----
content of any intermediate CA certificate
-----END CERTIFICATE-----
...
-----BEGIN CERTIFICATE-----
content of root CA certeficate
-----END CERTIFICATE-----

You do need to paste the key in plaintext, though this will be sent over HTTPS, end to end encrypted to our servers, where it is stored encrypted at rest. Our server has to “know” the private key to answer requests, so it will be decrypted for use from memory upon request, much as your own webserver would do.

Curious why you’d import your own LE certs instead of using our automatically provisioned and renewed ones though?

omar1024 · July 26, 2020, 7:00pm

I too have the same issue
How do i generate the pem certificate and the private key from the three certificates ?
(the three certificates are server, intermediate and root)

luke · July 27, 2020, 12:45am

Hi, @omar1024, personally, I would use the openssl command-line tool to do this. The exact command to run depends on the format that the keys are currently in.

The following page as a summary of the most commonly use SSL commands including converting formats.

https://www.sslshopper.com/article-most-common-openssl-commands.html

What is the format of your existing certificates and and what are the filenames of those files?