Tweet
Tweet

Slide 1

Slide 1 text

Let’s encrypt! A brief introduction

Slide 2

Slide 2 text

What Certificate Authority that provides TLS certificates

Slide 3

Slide 3 text

What Certificate Authority that provides TLS certificates - Free of charge

Slide 4

Slide 4 text

What Certificate Authority that provides TLS certificates - Free of charge - No human interaction required

Slide 5

Slide 5 text

Why HTTPS? ● Security

Slide 6

Slide 6 text

Why HTTPS? ● Security ● HTTP/2

Slide 7

Slide 7 text

How does HTTPS work

Slide 8

Slide 8 text

User Agent (browser) HTTPS server

Slide 9

Slide 9 text

Owned by the site administrator Private key Public key Domain User Agent (browser) HTTPS server

Slide 10

Slide 10 text

Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature User Agent (browser) HTTPS server

Slide 11

Slide 11 text

Owned by the CA Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server

Slide 12

Slide 12 text

Owned by the CA Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server

Slide 13

Slide 13 text

Owned by the CA Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server Ow C Su Su ke Is Si Pr Pu

Slide 14

Slide 14 text

Owned by the CA Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server

Slide 15

Slide 15 text

Owned by the CA Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server

Slide 16

Slide 16 text

Owned by the CA Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server

Slide 17

Slide 17 text

ACME protocol

Slide 18

Slide 18 text

Client sends a request to the certificate authority with: - Domain name to validate - Public key - Validation method

Slide 19

Slide 19 text

Client sends a request to the certificate authority with: - Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token

Slide 20

Slide 20 text

Client sends a request to the certificate authority with: - Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token

Slide 21

Slide 21 text

Client sends a request to the certificate authority with: - Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token Client notifies the authority

Slide 22

Slide 22 text

Client sends a request to the certificate authority with: - Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token Client notifies the authority Certificate Authority validates the domain name

Slide 23

Slide 23 text

Client sends a request to the certificate authority with: - Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token Client notifies the authority Certificate Authority validates the domain name If successful, sends back a certificate to the client for the validated domain

Slide 24

Slide 24 text

Validation methods

Slide 25

Slide 25 text

Validation methods - Simple HTTP request

Slide 26

Slide 26 text

Validation methods - Simple HTTP request - DNS

Slide 27

Slide 27 text

Validation methods - Simple HTTP request - DNS - Some other stuff, check the spec

Slide 28

Slide 28 text

Tools

Slide 29

Slide 29 text

Drawbacks

Slide 30

Slide 30 text

FAQ

Slide 31

Slide 31 text

FAQ ● Wildcard certificate support? ○ Validation is a bit harder, not supported by the spec yet. ● Mitigation against MITM in the validation step? ○ ACME spec recommends checking the connection from multiple vantage points to reduce this risk ● nginx support? ○ Currently in experimental phase