Solution Based on Experience from the Field

This article provides a solution that has not been approved by the IGEL Research and Development department. Therefore, official support cannot be provided by IGEL. Where applicable, test the solution before deploying it to a productive environment.


This article addresses the issue when the customers need a signed cert, but don’t want to use the UMS as CA.

You can use "letsencrypt" as a CA for quickly and easily grabbing a FREE certificate for your ICG server (or for any server where you need a signed cert). At this point, LetsEncrypt is trusted by all the browsers and it has a completely automated process for initially retrieving a new singed cert and also for renewing.


  • UMS version: any


Here's the process that we followed on an Ubuntu 16.04 Digital Ocean droplet. (This page is good overview: )

  1. Open up incoming port 80 (temporarily) on your server firewall to allow for automated verification that you control the domain (see below).
  2. Make sure that the FQDN names that you'll be getting certs for do DNS resolve to your droplet (verification will fail if they don't).
  3. Install certbot like this (from above link):
    sudo apt-get update
    sudo apt-get install software-properties-common
    sudo add-apt-repository ppa:certbot/certbot
    sudo apt-get update
    sudo apt-get install certbot
  4. Run the command: sudo certbot certonly
  5. Choose "spin up a temporary web server" (this is used for let's encrypt to fetch a page and verify that you control the domain).
  6. Enter your domain names (separated by a comma) that you want to create a cert for and press "enter".
  7. Finish the remaining questions.
  8. If all was successful, you'll find your server certificate (cert1.pem), root CA Chain (chain1.pem), and private key (privkey1.pem) in the /etc/letsencrypt/archive/<your domain name> folder.
  9. These files are all ready and in the right format to add to UMS and create your keystore.icg file.