Install a custom SSL certificate

This guide explains how to…

1. … generate a CSR and private key to request a third-party certificate from a Certificate Authority (CA)
2. … import that certificate for your Infomaniak website, using the CRT obtained from the CA

Prerequisites

• While Infomaniak offers all the SSL certificates you might need…
  • Free Let's Encrypt certificates for personal websites (only available for websites hosted on Infomaniak)
  • DV certificates from Sectigo for professional/personal websites not registered in the commercial register
  • EV certificates from Sectigo for businesses listed in the commercial register
• … it is also possible to install an SSL certificate obtained elsewhere (intermediate certificate from a certification body of your choice), custom certificates, or self-signed certificates.

1. Generate a CSR (Certificate Signing Request)

A CSR (Certificate Signing Request) is an encoded file containing the information required to request an SSL/TLS certificate. It must be generated on your end to ensure that the private key remains under your control, for example, by using OpenSSL.

Adapt and run this command in a terminal:

openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout domain.xyz.key -out domain.xyz.csr -addext "subjectAltName = DNS:domain.xyz, DNS:www.domain.xyz"

Explanation

• newkey rsa:2048: Generates a new RSA key of 2048 bits.
• keyout domain.xyz.key: Specifies the file where the private key will be saved.
• out domain.xyz.csr: Specifies the file where the CSR will be saved.
• addext “subjectAltName = ...”: Adds additional domains through the SAN (Subject Alternative Name) extension, necessary to include all desired domains in the certificate (the primary domain domain.xyz + any related domain or subdomain such as www.domain.xyz).

After generation, you can verify the contents of the CSR with the following command:

openssl req -in domain.xyz.csr -noout -text

This allows you to verify that all the domains listed in subjectAltName are correctly included.

Once the CSR is generated, you can send it to the Certificate Authority (CA) to obtain your SSL/TLS certificate.

2. Import the external certificate

Once validated, the CA will provide you with a certificate (domain.xyz.crt) and sometimes an intermediate certificate (ca_bundle.crt). To access SSL certificate management:

1. Click here to access your product management in the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on SSL Certificates in the left-hand menu.
4. Click the blue button Install a certificate:
   
5. Select the custom certificate option.
6. Click the Next button:
   
7. Import your certificate and private key, either by uploading the .crt and .key files or by copy-pasting.
8. Click Complete:
   

Alternative command to generate a self-signed certificate (optional)

If you want a local certificate for testing purposes or without going through a CA (not recommended for production), you can use this command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout domain.xyz.key -out domain.xyz.crt -addext “subjectAltName = DNS:domain.xyz, DNS:www.domain.xyz”

This generates both a self-signed certificate (domain.xyz.crt) and a private key (domain.xyz.key). However, self-signed certificates are not recognized as valid by browsers or public systems. They are only suitable for internal or development environments.