Skip to content

Using letsencrypt certificate in PDF signing

DOF is using syncfusion libararies to sign PDF, this library does not support certificate with EC key. However Certbot on linux uses EC by default.

This guide will help you configure the Linux NGinX certificates to be used for signing PDF as well.

Step 1

Start by forcing certbot to use RCA, run certbot with RCA flags

sudo certbot --nginx --key-type rsa --rsa-key-size 2048

Now the PEM files will use RCA.

Step 2

Next We want to generate a PFX that will update when the PEM updates. For that we create a shell file in the hooks folder of letsencrypt /etc/letsencrypt/renewal-hooks/deploy/export-pfx.sh

sudo nano /etc/letsencrypt/renewal-hooks/deploy/export-pfx.sh

Place the following content:

#!/bin/bash

# This script is called by Certbot with env variables set:
# RENEWED_LINEAGE is the path like /etc/letsencrypt/live/example.com


echo "Generating PFX"

LIVE_DIR="$RENEWED_LINEAGE"
DOMAIN=$(basename "$LIVE_DIR")
PFX_DIR="/etc/letsencrypt/pfx"
PFX_FILE="$PFX_DIR/$DOMAIN.pfx"
PASSWORD_FILE="/etc/letsencrypt/ssl-password.txt"

mkdir -p "$PFX_DIR"

if [[ ! -f "$LIVE_DIR/privkey.pem" ]]; then
echo "Private key not found for $DOMAIN"
exit 1
fi

openssl pkcs12 -export \
-out "$PFX_FILE" \
-inkey "$LIVE_DIR/privkey.pem" \
-in "$LIVE_DIR/cert.pem" \
-certfile "$LIVE_DIR/chain.pem" \
-passout file:"$PASSWORD_FILE"

# Set secure permissions give access to authenticated users
sudo chgrp users  "$PFX_FILE"
sudo chmod 640  "$PFX_FILE"

echo "Generated PFX for $DOMAIN"

Save and set to executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/export-pfx.sh

place the password in a seperate file:

echo "yourStrongPassword123" | sudo tee /etc/letsencrypt/ssl-password.txt > /dev/null
sudo chmod 600 /etc/letsencrypt/ssl-password.txt

You could have used the PEM files, but that means that the private key PEM is not protected

Step 3

To check that the shell file is valid:

sudo RENEWED_LINEAGE="/etc/letsencrypt/live/example.com" /etc/letsencrypt/renewal-hooks/deploy/export-pfx.sh

Make sure PFX certificate(s) are generated

Step 4

Setup the certificate in DOF in the configuration file

<Certificates>
    ...
    <Certificate>
        <Key>g</Key>
        <Password>...</Password>
        <File>/etc/letsencrypt/pfx/[your domain name].pfx</File>
    </Certificate>
    ...
</Certificates>