1000 FAQs, 500 tutorials and explanatory videos. Here, there are only solutions!
Import Custom SSL Certificate
This guide explains how...
- ... generate a CSR and private key to apply for a third-party certificate from a Certification Authority (CA)
- … import this certificate for your Infomaniak site, thanks to the CRT obtained from the CA
Preamble
- Although Infomaniak offers all SSL certificates that you might need...
- free certifs Let's Encrypt for the personal sites (only possible with the sites hosted by Infomaniak)
- certifs DV of Sectionigo for the professional/individual sites which are not registered in the Commercial Register
- certifs EV of Sectionigo for the enterprises registered in the business register
- ... it is also possible to install an SSL certificate obtained elsewhere (intermediate/intermediate certificate from a certification body of your choice), personalized or self-signed certificates.
1. Generate a CSR (Certificate Signing Request)
A CSR (Certificate Signing Request or Application for Signature of Certificate) is an encoded file containing information necessary to request an SSL/TLS certificate. It must be generated on your side, to ensure that the private key remains under your control, using e.g. OpenSSL
Adapt and enter this command in a terminal:
openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout domain.xyz.key -out domain.xyz.csr -addext "subjectAltName = DNS:domain.xyz, DNS:www.domain.xyz"
Explanations
newkey rsa:2048
: Generates a new RSA key of 2048 bits.keyout domain.xyz.key
: Specifies the file where the private key will be saved.out domain.xyz.csr
: Specifies the file where the CSR will be saved.addext “subjectAltName = ...”
: Adds additional domains via the SAN (Subject Alternative Name) extension, necessary to include all desired domains in the certificate (the main domain) domain.xyz + any other associated domain or sub-domain, such as www.domain.xyz).
After generation, you can check the contents of the CSR with the following command:
openssl req -in domain.xyz.csr -noout -text
This ensures that all domains listed in subjectAltName are correctly included.
Once the CSR is generated, you can forward it to the Certification Authority (CA) to obtain your SSL/TLS certificate.
2. Import External Certificate
Once validated, the CA will issue you a certificate (domain.xyz.crt
) and sometimes an intermediate certificate (ca_bundle.crt
). To access SSL certificate management:
- Click here in order to access the management of your product on the Manager Infomaniak (Need help?).
- Click directly on the nameallocated to the product concerned.
- Click on SSL certificates in the left side menu.
- Click the blue button Install a certificate:
- Choose the certificate Custom.
- Click on the button Next:
- Import your certificate and private key, either by importing files
.crt
and.key
or by copy-paste. - Click on Complete:
Alternative command to generate a self-signed certificate (optional)
If you want a local certificate only for testing or without going through a CA (not recommended for production), you can use this command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout domain.xyz.key -out domain.xyz.crt -addext “subjectAltName = DNS:domain.xyz, DNS:www.domain.xyz”
This generates both a self-signed certificate (domain.xyz.crt
) and a private key (domain.xyz.key
). However, self-signed certificates are not recognized as valid by public browsers or systems. They are suitable only for internal or development environments.