How to remew your SSL certificate from the (somewhat obscure) automated email

SSL

x509

openssl

Published

January 8, 2024

Prerequisites

A working web server with a valid SSL certificate, but it will expire soon, and you received an email from your SSL provider. It also means you have a correct key and certificate pair in your web server configuration.

The only valid url you need to use is the one with the format=pemia suffix, as it contains the full certificate chain.

The mail

You received an email of the form :

Hello,

You have successfully enrolled for a SSL certificate.

You now need to complete the following steps:

* Click the following link to download your SSL certificate
Available formats:
as Certificate only, PEM encoded: … *ends with `format=X509CO`*
as Certificate (w/ issuer after), PEM encoded: … *ends with `format=pemia`*
as Certificate (w/ chain), PEM encoded: … *ends with `format=X509`*
as PKCS#7: … *ends with `format=bin`*
as PKCS#7, PEM encoded:… *ends with `format=base64`*

The steps

Get the third, “Certificate (w/ issuer after), PEM encoded” link, and save it as cert.pem.

wget -O cert.pem "https://cert-manager.com/customer/Renater/ssl?action=download&sslId=XXXXXXXX&format=pemia"

Convert it to a list of certificates suitable for ssl websites:

openssl crl2pkcs7 -nocrl -certfile cert.pem | openssl pkcs7 -print_certs -out cert.crt

Now you can use cert.crt in your webserver configuration.