Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature User Agent (browser) HTTPS server
Owned by the CA Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server
Owned by the CA Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server
Owned by the CA Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server Ow C Su Su ke Is Si Pr Pu
Owned by the CA Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server
Owned by the CA Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server
Owned by the CA Owned by the site administrator Private key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server
Client sends a request to the certificate authority with: - Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token
Client sends a request to the certificate authority with: - Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token
Client sends a request to the certificate authority with: - Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token Client notifies the authority
Client sends a request to the certificate authority with: - Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token Client notifies the authority Certificate Authority validates the domain name
Client sends a request to the certificate authority with: - Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token Client notifies the authority Certificate Authority validates the domain name If successful, sends back a certificate to the client for the validated domain
FAQ ● Wildcard certificate support? ○ Validation is a bit harder, not supported by the spec yet. ● Mitigation against MITM in the validation step? ○ ACME spec recommends checking the connection from multiple vantage points to reduce this risk ● nginx support? ○ Currently in experimental phase