Description
Feature Request:
I recently noticed there was no p12 files that could be generated through the nginx proxy GUI (from what I've seen). I was thinking the feature could be useful for certain self-hostings, such as Jellyfin or other websites that have the option to turn on "require https" feature.
Is your feature request related to a problem?
The feature is not related to a problem; however, I believe it adds another useful feature for when configuring a website and want to turn on require https. Having a easy path to provide that was generated from the key pair and root/issuing CAs would make it so that the .p12 file can be generated and saved with a password on the system running nginx-proxy-manager. Then the Server would be able to provide a single path to the website that it could use even on re-key's. The Password that will be used can be saved in the database or in a file within the config folder for nginx-proxy-manmager.
Possible Solution:
- Add a checkbox or a new tab within nginx-proxy-manager to choose to generate a '.p12 ' after obtaining a certificate form lets encrypt.
- If the Check-box is checked to create a pkcs12 a new optional box is provided displayed in the certificate request with the label "PKCS12 (p12) password:". Also Add a information hover over indicator that states, "This password will be used to generate a .p12 file, and will also be used for re-key of certificates."
a. If the User omits the password and confirms to request the certificate from lets encrypt without the PKCS12 password a pop-up is displayed to let tell them the .p12 file will not be generated at this time, and can be manually generated at a later time.
b. If the User Provides the password in the "PKCS12 (p12) password:" field then after the certificate is retrieved from lets encrypt, nginx-proxy-manager will run the OpenSSL command to generate the .p12 file.
Examples:
sudo openssl pkcs12 -export -out /path/to/pkcs12/Example.p12 -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 -inkey /path/to/privatekey/privkey.key -in /path/to/certificate/cert.pem -certfile /path/to/root/root.pem -passin /path/to/pkcs12/password/pkcs12.pass
[or]
sudo openssl pkcs12 -export -out /path/to/pkcs12/Example.p12 -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 -inkey /path/to/privatekey/privkey.key -in /path/to/certificate/cert.pem -certfile /path/to/root/root.pem -password $PKCS12_password - Re-run the command on rekey of certificates using the same password.
- The Associated .p12 should be available in the same folder as the associated certificate and private key files.
Alternative Solution:
Add a button next to each SSL Certificate that says "Generate .p12/.pfx" and When the button is clicked it will run something like the OpenSSL command shown above. On successful generation of the file the button should show a check mark on the button to indicate its been generated. Maybe Grey out and disable the box for a limited period of time after creating the file?
Additional context
I think the feature might make a big quality of life improvement for self hosting certificates and SSL.