where is the intermediate certificate?



  • Hello,

    I created a certificate with the "Acme". It works and I am using https when I log in.

    On the other hand, a service provider asks me to communicate the private key, the public key and the intermediate certificate.

    I have downloaded the .crt (public) and the .key (private) in System / CertificateManager / Certificates, but I do not know where the intermediate certificate is.

    Thank you in advance.



  • I just saw that there are those of the certification authority. Would one of them be the intermediate certificate?

    alt text


  • Rebel Alliance Developer Netgate

    The Intermediate and root CA are from Let's Encrypt. The X3 entry is the one you're after.

    But it sounds to me like you may be doing something wrong here. You shouldn't be making an ACME cert on pfSense and then manually sending that to a service provider. The certificates will expire every 90 days so you'd have to manually redo it every couple months.

    You should setup a Let's Encrypt instance directly on whatever will be using the certificate, and the private key for the certificate shouldn't leave that service.

    I'd be wary of any service that asks you to send a private key to them somehow. Transmitting a private key for a certificate over an insecure channel (like e-mail) would compromise the security of the certificate entirely.



  • Hello,

    Thank you for your information and recommendation.

    The certificate is transmitted via Keepass.
    I don't know the reason why the private is requested (even if it is a trusted provider).
    I will inquire about it.

    When you say: "You should setup a Let's Encrypt instance directly on whatever will be using the certificate, and the private key for the certificate shouldn't leave that service.", It means directly on my web server "behind the pfsense" , or at the provider?


  • Rebel Alliance Developer Netgate

    On whatever is actually using the certificate. Typically a web server but there are other uses for them (mail servers, VPNs, etc)


Log in to reply