I need a certificate from a well-known CA in pkcs12 format. That standard requires that the private key be bundled in the certificate file. I know I could use let’s encrypt however, a downstream provider has a limitation that the certificate expiry must be longer than the 90 days provided by let’s encrypt.
I am trying to understand if Cloudflare could provide this. As far as I can tell from the documentation, that does not seem possible.
Is there anyone who happens to know if that is the case? If not, do you have suggestions (other than Let’s Encrypt) for a reputable CA where I can get a certificate for my domain?
Cloudflare is the only one that holds their encryption keys so you’re right in that you can’t obtain the private key to your site’s Cloudflare certificate.
Not for free, and I cannot personally recommend any other since they all rely on the antiquated business model of charging for encryption (when pure DV certs using DNS+ACME certificate verification is all that’s needed for secure communications).
90 days is really the gold standard in security - if you don’t have automation set up for 90-day certificates, that means you also don’t have automation for your 1 or 2-year certs, meaning you’re more at risk of forgetting to renew your certificate before the expiration date and thus experiencing an outage due to the expiry.