Import Custom SSL Certificate

This guide explains how...

1. ... generate a CSR and private key to apply for a third-party certificate from a Certification Authority (CA)
2. … import this certificate for your Infomaniak site, thanks to the CRT obtained from the CA

Preamble

• Although Infomaniak offers all SSL certificates that you might need...
  • free certifs Let's Encrypt for the personal sites (only possible with the sites hosted by Infomaniak)
  • certifs DV of Sectionigo for the professional/individual sites which are not registered in the Commercial Register
  • certifs EV of Sectionigo for the enterprises registered in the business register
• ... it is also possible to install an SSL certificate obtained elsewhere (intermediate/intermediate certificate from a certification body of your choice), personalized or self-signed certificates.

1. Generate a CSR (Certificate Signing Request)

A CSR (Certificate Signing Request or Application for Signature of Certificate) is an encoded file containing information necessary to request an SSL/TLS certificate. It must be generated on your side, to ensure that the private key remains under your control, using e.g. OpenSSL

Adapt and enter this command in a terminal:

openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout domain.xyz.key -out domain.xyz.csr -addext "subjectAltName = DNS:domain.xyz, DNS:www.domain.xyz"

Explanations

• newkey rsa:2048: Generates a new RSA key of 2048 bits.
• keyout domain.xyz.key: Specifies the file where the private key will be saved.
• out domain.xyz.csr: Specifies the file where the CSR will be saved.
• addext “subjectAltName = ...”: Adds additional domains via the SAN (Subject Alternative Name) extension, necessary to include all desired domains in the certificate (the main domain) domain.xyz + any other associated domain or sub-domain, such as www.domain.xyz).

After generation, you can check the contents of the CSR with the following command:

openssl req -in domain.xyz.csr -noout -text

This ensures that all domains listed in subjectAltName are correctly included.

Once the CSR is generated, you can forward it to the Certification Authority (CA) to obtain your SSL/TLS certificate.

2. Import External Certificate

Once validated, the CA will issue you a certificate (domain.xyz.crt) and sometimes an intermediate certificate (ca_bundle.crt). To access SSL certificate management:

1. Click here in order to access the management of your product on the Manager Infomaniak (Need help?).
2. Click directly on the nameallocated to the product concerned.
3. Click on SSL certificates in the left side menu.
4. Click the blue button Install a certificate:
   
5. Choose the certificate Custom.
6. Click on the button Next:
   
7. Import your certificate and private key, either by importing files .crt and .key or by copy-paste.
8. Click on Complete:
   

Alternative command to generate a self-signed certificate (optional)

If you want a local certificate only for testing or without going through a CA (not recommended for production), you can use this command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout domain.xyz.key -out domain.xyz.crt -addext “subjectAltName = DNS:domain.xyz, DNS:www.domain.xyz”

This generates both a self-signed certificate (domain.xyz.crt) and a private key (domain.xyz.key). However, self-signed certificates are not recognized as valid by public browsers or systems. They are suitable only for internal or development environments.