2020-11-11 11:47:10 +01:00
---
title: Custom certificates
template: docs
taxonomy:
category: docs
2021-02-06 18:03:27 +01:00
routes:
default: '/certificate_custom'
2020-11-11 11:47:10 +01:00
---
2021-02-07 14:53:24 +01:00
! **Note:** since version 2.5, YunoHost integrates Let's Encrypt certificates automated management. You can easily and freely [install a Let's Encrypt certificate ](/certificate ). The following document describes the steps for installing a paid certificate from a certification authority (**Gandi**, **RapidSSL** , **StartSSL** , **Cacert** ).
2020-07-17 18:32:39 +02:00
Some changes have taken place which impact the procedures indicated below:
2024-03-23 08:59:52 +01:00
- Metronome group is no longer used directly but ssl-cert.
- A `/etc/yunohost/certs/DOMAIN.LTD-history/stamp` directory is used to keep each configuration created and a symlink is created.
2020-07-17 18:32:39 +02:00
### Adding a signed certificate by an authority (other than Let's Encrypt)
After the certificate creation with your registration authority, you must have a private key, the key file, and a public certificate, the crt file.
2024-03-23 08:59:52 +01:00
! Note that the key file is very sensitive, it is strictly personal and must be very well secured.
2020-07-17 18:32:39 +02:00
These two files should be copied to the server, if they are not already there.
```bash
2020-07-17 18:44:32 +02:00
scp CERTIFICATE.crt admin@DOMAIN.TLD:ssl.crt
scp KEY.key admin@DOMAIN.TLD:ssl.key
2020-07-17 18:32:39 +02:00
```
From Windows, scp can be used with Putty, by downloading the tool [pscp ](http://the.earth.li/~sgtatham/putty/latest/x86/pscp.exe )
```bash
2020-07-17 18:44:32 +02:00
pscp -P 22 CERTIFICATE.crt admin@DOMAIN.TLD:ssl.crt
pscp -P 22 KEY.key admin@DOMAIN.TLD:ssl.key
2020-07-17 18:32:39 +02:00
```
As soon as the files are on the server, the rest of the work will be done on it. In [ssh ](/ssh ) or locally.
First, create a folder to store the obtained certificates.
```bash
sudo mkdir /etc/yunohost/certs/DOMAIN.TLD/ae_certs
sudo mv ssl.key ssl.crt /etc/yunohost/certs/DOMAIN.TLD/ae_certs/
```
Then, go to the parent folder to continue.
```bash
cd /etc/yunohost/certs/DOMAIN.TLD/
```
As a caution, back up the certificates of origin from YunoHost.
```bash
sudo mkdir yunohost_self_signed
sudo mv *.pem * .cnf yunohost_self_signed/
```
Depending on the registration authority, intermediate and root certificates must be obtained.
2024-03-23 08:59:52 +01:00
#### StartSSL
2020-07-17 18:32:39 +02:00
2024-03-23 08:59:52 +01:00
```bash
sudo wget http://www.startssl.com/certs/ca.pem -O ae_certs/ca.pem
sudo wget http://www.startssl.com/certs/sub.class1.server.ca.pem -O ae_certs/intermediate_ca.pem
```
2020-07-17 18:32:39 +02:00
2024-03-23 08:59:52 +01:00
#### Gandi
2020-07-17 18:32:39 +02:00
2024-03-23 08:59:52 +01:00
```bash
sudo wget https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem -O ae_certs/intermediate_ca.pem
```
#### RapidSSL
```bash
sudo wget https://knowledge.rapidssl.com/library/VERISIGN/INTERNATIONAL_AFFILIATES/RapidSSL/AR1548/RapidSSLCABundle.txt -O ae_certs/intermediate_ca.pem
```
#### Cacert
```bash
sudo wget http://www.cacert.org/certs/root.crt -O ae_certs/ca.pem
sudo wget http://www.cacert.org/certs/class3.crt -O ae_certs/intermediate_ca.pem
```
2020-07-17 18:32:39 +02:00
Intermediate and root certificates must be combined with the obtained certificate to create a unified certificate chain.
```bash
cat ae_certs/ssl.crt ae_certs/intermediate_ca.pem ae_certs/ca.pem | sudo tee crt.pem
```
The private key must be converted to `.pem` format.
```bash
sudo openssl rsa -in ae_certs/ssl.key -out key.pem -outform PEM
```
To ensure the certificates syntax, check the files contents.
```bash
cat crt.pem key.pem
```
The certificates and private key should look like this:
2024-03-23 08:59:52 +01:00
```text
2020-07-17 18:43:33 +02:00
-----BEGIN CERTIFICATE-----
MIICVDCCAb0CAQEwDQYJKoZIhvcNAQEEBQAwdDELMAkGA1UEBhMCRlIxFTATBgNV
BAgTDENvcnNlIGR1IFN1ZDEQMA4GA1UEBxMHQWphY2NpbzEMMAoGA1UEChMDTExC
MREwDwYDVQQLEwhCVFMgSU5GTzEbMBkGA1UEAxMSc2VydmV1ci5idHNpbmZvLmZy
MB4XDTA0MDIwODE2MjQyNloXDTA0MDMwOTE2MjQyNlowcTELMAkGA1UEBhMCRlIx
FTATBgNVBAgTDENvcnNlIGR1IFN1ZDEQMA4GA1UEBxMHQWphY2NpbzEMMAoGA1UE
ChMDTExCMREwDwYDVQQLEwhCVFMgSU5GTzEYMBYGA1UEAxMPcHJvZi5idHNpbmZv
LmZyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSUagxPSv3LtgDV5sygt12
kSbN/NWP0QUiPlksOkF2NkPfwW/mf55dD1hSndlOM/5kLbSBo5ieE3TgikF0Iktj
BWm5xSqewM5QDYzXFt031DrPX63Fvo+tCKTQoVItdEuJPMahVsXnDyYHeUURRWLW
wc0BzEgFZGGw7wiMF6wt5QIDAQABMA0GCSqGSIb3DQEBBAUAA4GBALD640iwKPMf
pqdYtfvmLnA7CiEuao60i/pzVJE2LIXXXbwYjNAM+7Lov+dFT+b5FcOUGqLymSG3
kSK6OOauBHItgiGI7C87u4EJaHDvGIUxHxQQGsUM0SCIIVGK7Lwm+8e9I2X0G2GP
9t/rrbdGzXXOCl3up99naL5XAzCIp6r5
-----END CERTIFICATE-----
```
2020-07-17 18:32:39 +02:00
Finally, secure your certificate files.
```bash
sudo chown root:metronome crt.pem key.pem
sudo chmod 640 crt.pem key.pem
sudo chown root:root -R ae_certs
sudo chmod 600 -R ae_certs
```
Now the certificates (two files with the extension `.pem` ) must be copied in `/etc/yunohost/certs/DOMAIN.TLD` .
```bash
cp ae_certs/*.pem ./
```
Reload NGINX configuration to take into account the new certificate.
```bash
sudo service nginx reload
```
2024-03-23 08:59:52 +01:00
Your certificate is ready. However, you can ensure that it is in place by testing the certificate using the [geocerts ](https://www.geocerts.com/ssl_checker ).