Let's Encrypt!

Let's Encrypt!

A brief introduction to Let's Encrypt, by Hugo Peixoto

B4fbb97c316798392c24b92f866c5ed6?s=128

Porto Codes

April 20, 2016
Tweet

Transcript

  1. Let’s encrypt! A brief introduction

  2. What Certificate Authority that provides TLS certificates

  3. What Certificate Authority that provides TLS certificates - Free of

    charge
  4. What Certificate Authority that provides TLS certificates - Free of

    charge - No human interaction required
  5. Why HTTPS? • Security

  6. Why HTTPS? • Security • HTTP/2

  7. How does HTTPS work

  8. User Agent (browser) HTTPS server

  9. Owned by the site administrator Private key Public key Domain

    User Agent (browser) HTTPS server
  10. Owned by the site administrator Private key Public key Certificate

    Domain Subject Subject public key Issuer Signature User Agent (browser) HTTPS server
  11. Owned by the CA Owned by the site administrator Private

    key Public key Certificate Domain Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server
  12. Owned by the CA Owned by the site administrator Private

    key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server
  13. Owned by the CA Owned by the site administrator Private

    key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server Ow C Su Su ke Is Si Pr Pu
  14. Owned by the CA Owned by the site administrator Private

    key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server
  15. Owned by the CA Owned by the site administrator Private

    key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server
  16. Owned by the CA Owned by the site administrator Private

    key Public key Certificate Domain Subject Subject public key Issuer Signature Certificate Subject Subject public key Issuer Signature Private key Public key User Agent (browser) HTTPS server
  17. ACME protocol

  18. Client sends a request to the certificate authority with: -

    Domain name to validate - Public key - Validation method
  19. Client sends a request to the certificate authority with: -

    Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token
  20. Client sends a request to the certificate authority with: -

    Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token
  21. Client sends a request to the certificate authority with: -

    Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token Client notifies the authority
  22. Client sends a request to the certificate authority with: -

    Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token Client notifies the authority Certificate Authority validates the domain name
  23. Client sends a request to the certificate authority with: -

    Domain name to validate - Public key - Validation method Certificate Authority replies with a challenge token Client sets up the validation method with the given token Client notifies the authority Certificate Authority validates the domain name If successful, sends back a certificate to the client for the validated domain
  24. Validation methods

  25. Validation methods - Simple HTTP request

  26. Validation methods - Simple HTTP request - DNS

  27. Validation methods - Simple HTTP request - DNS - Some

    other stuff, check the spec
  28. Tools

  29. Drawbacks

  30. FAQ

  31. FAQ • Wildcard certificate support? ◦ Validation is a bit

    harder, not supported by the spec yet. • Mitigation against MITM in the validation step? ◦ ACME spec recommends checking the connection from multiple vantage points to reduce this risk • nginx support? ◦ Currently in experimental phase