Let's Encrypt!

Transcript

1. Let’s encrypt! A brief introduction

2. What Certificate Authority that provides TLS certificates

3. What Certificate Authority that provides TLS certificates - Free of

   charge

4. What Certificate Authority that provides TLS certificates - Free of

   charge - No human interaction required

5. Why HTTPS? • Security

6. Why HTTPS? • Security • HTTP/2

7. How does HTTPS work

8. User Agent (browser) HTTPS server

9. Owned by the site administrator Private key Public key Domain

   User Agent (browser) HTTPS server

10. Owned by the site administrator Private key Public key Certificate

    Domain Subject Subject public key Issuer Signature User Agent (browser) HTTPS server

11. Owned by the CA Owned by the site administrator Private

    key Public key Certificate Domain Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server

12. Owned by the CA Owned by the site administrator Private

    key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server

13. Owned by the CA Owned by the site administrator Private

    key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server Ow C Su Su ke Is Si Pr Pu

14. Owned by the CA Owned by the site administrator Private

    key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server

15. Owned by the CA Owned by the site administrator Private

    key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server

16. Owned by the CA Owned by the site administrator Private

    key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server

17. ACME protocol

18. Client sends a request to the certificate authority with: -

    Domain name to validate - Public key - Validation method

19. Client sends a request to the certificate authority with: -

    Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token

20. Client sends a request to the certificate authority with: -

    Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token

21. Client sends a request to the certificate authority with: -

    Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token Client notifies the authority

22. Client sends a request to the certificate authority with: -

    Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token Client notifies the authority Certificate Authority validates the domain name

23. Client sends a request to the certificate authority with: -

    Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token Client notifies the authority Certificate Authority validates the domain name If successful, sends back a certificate to the client for the validated domain

24. Validation methods

25. Validation methods - Simple HTTP request

26. Validation methods - Simple HTTP request - DNS

27. Validation methods - Simple HTTP request - DNS - Some

    other stuff, check the spec

28. Tools

29. Drawbacks

30. FAQ

31. FAQ • Wildcard certificate support? ◦ Validation is a bit

    harder, not supported by the spec yet. • Mitigation against MITM in the validation step? ◦ ACME spec recommends checking the connection from multiple vantage points to reduce this risk • nginx support? ◦ Currently in experimental phase