novemberborn/howto.md

Created February 18, 2016 17:47

Star (25) You must be signed in to star a gist
Fork (1) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/novemberborn/4eb91b0d166c27c2fcd4.js"></script>
Save novemberborn/4eb91b0d166c27c2fcd4 to your computer and use it in GitHub Desktop.

Download ZIP

Creating a PKCS#12 file from a Let's Encrypt certificate

Raw

howto.md

Assuming you received the certificate in DER form, saved to cert.der:

openssl x509 -inform der -in cert.der -out chain.pem

Append the content of https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem.txt to chain.pem.

Save https://letsencrypt.org/certs/letsencryptauthorityx1.pem.

Assuming the private key for the certificate is in privkey.pem:

openssl pkcs12 -export -inkey privkey.pem -in chain.pem -CAfile letsencryptauthorityx1.pem -out cert.p12

cert.p12 now includes the private key, your certificate, and the full certificate chain.

ethanbayliss commented Nov 30, 2024

I use this for jellyfin

echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q && LE_CERT_PATH=/etc/letsencrypt/live/jellyfin.example.com/ && openssl pkcs12 -export -password pass: -inkey ${LE_CERT_PATH}privkey.pem -in ${LE_CERT_PATH}cert.pem -certfile ${LE_CERT_PATH}chain.pem -out ${LE_CERT_PATH}cert.p12 && chown jellyfin:jellyfin ${LE_CERT_PATH}cert.p12 && mv ${LE_CERT_PATH}cert.p12 /etc/jellyfin/" | sudo tee -a /etc/crontab > /dev/null

You can probably do this nicer with renewal hooks in certbot but it works okay.