Creating a PKCS#12 file from a Let's Encrypt certificate

howto.md

Assuming you received the certificate in DER form, saved to cert.der:

openssl x509 -inform der -in cert.der -out chain.pem

Append the content of https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem.txt to chain.pem.

Save https://letsencrypt.org/certs/letsencryptauthorityx1.pem.

Assuming the private key for the certificate is in privkey.pem:

openssl pkcs12 -export -inkey privkey.pem -in chain.pem -CAfile letsencryptauthorityx1.pem -out cert.p12

cert.p12 now includes the private key, your certificate, and the full certificate chain.

I think the Save https://letsencrypt.org/certs/letsencryptauthorityx1.pem. file should be the root file i.e is ISGR X1 or DST X1

cat /etc/letsencrypt/live/fqdn.com/chain.pem lets-encrypt-x1-cross-signed.pem.txt > chain.pem
openssl pkcs12 -export -inkey /etc/letsencrypt/live/fqdn.com/privkey.pem -in chain.pem -CAfile letsencryptauthorityx1.pem -out cert.p12

>> No certificate matches private key

doesn't work

this works

 openssl pkcs12 -export -out certificate.p12 -inkey /etc/letsencrypt/live/.org/privkey.pem -in /etc/letsencrypt/live/.org/cert.pem -certfile /etc/letsencrypt/live/.org/chain.pem

I use this for jellyfin

echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q && LE_CERT_PATH=/etc/letsencrypt/live/jellyfin.example.com/ && openssl pkcs12 -export -password pass: -inkey ${LE_CERT_PATH}privkey.pem -in ${LE_CERT_PATH}cert.pem -certfile ${LE_CERT_PATH}chain.pem -out ${LE_CERT_PATH}cert.p12 && chown jellyfin:jellyfin ${LE_CERT_PATH}cert.p12 && mv ${LE_CERT_PATH}cert.p12 /etc/jellyfin/" | sudo tee -a /etc/crontab > /dev/null

You can probably do this nicer with renewal hooks in certbot but it works okay.