Let's Encrypt Certbot manual mode with Azure Key Vault » 13 July 2023

Most of the time, I use Certbot to generate and renew my Let’s Encrypt certificates in an automatic way, i.e. through Github Actions or something. However, every now and then I need to generate a certificate manually, usually for ephemeral purposes.

To do that I use the manual mode of Certbot with DNS verification, which requires you to create a DNS TXT record with a specific value. This is a bit cumbersome, but it works (or there might be a DNS plugin available for your provider). However the generated certificate cannot be directly imported to Azure Key Vault which I usually use for my projects.

For the purpose of this, note that the DNS challenge is not important, but in some scenarios it’s more feasible, for example one time I had to generate a certificate for a domain that was pointing to an Azure CDN endpoint, which in turn pointed to a https-only Azure Storage account.

This post is more of a note to self, but maybe it helps someone else as well. Also, the commands were for macOS, so your mileage may vary.

Generate certificate

Generating the certificate is pretty straightforward, but make sure you pick RSA keys, as Azure Key Vault does not support ECDSA keys yet.

sudo certbot certonly -d example.com,www.example.com --manual --preferred-challenges dns --key-type rsa

Convert certificate to PFX

The next step is to convert the certificate to a PFX file, which can be imported to Azure Key Vault. This can be done with the following command:

sudo openssl pkcs12 -export -in /etc/letsencrypt/live/example.com/fullchain.pem -inkey /etc/letsencrypt/live/example.com/privkey.pem -out ./export.pfx

The resulting PFX file can be imported to Azure Key Vault, thus making it usable for Azure CDN and other Azure services.