![]() ![]() When the Let’s Encrypt CA receives the request, it verifies both signatures. The agent also signs the whole CSR with the authorized key for so that the Let’s Encrypt CA knows it’s authorized. As usual, the CSR includes a signature by the private key corresponding to the public key in the CSR. To obtain a certificate for the domain, the agent constructs a PKCS#10 Certificate Signing Request that asks the Let’s Encrypt CA to issue a certificate for with a specified public key. Once the agent has an authorized key pair, requesting, renewing, and revoking certificates is simple-just send certificate management messages and sign them with the authorized key pair. We call the key pair the agent used an “authorized key pair” for. If the signature over the nonce is valid, and the challenges check out, then the agent identified by the public key is authorized to do certificate management for. Provisioning an HTTP resource under a well-known URI on Īlong with the challenges, the Let’s Encrypt CA also provides a nonce that the agent must sign with its private key pair to prove that it controls the key pair.For example, the CA might give the agent a choice of either: These are different ways that the agent can prove control of the domain. The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges. To kick off the process, the agent asks the Let’s Encrypt CA what it needs to do in order to prove that it controls. This is similar to the traditional CA process of creating an account and adding domains to that account. The first time the agent software interacts with Let’s Encrypt, it generates a new key pair and proves to the Let’s Encrypt CA that the server controls one or more domains. ![]() Let’s Encrypt identifies the server administrator by public key. Then, the agent can request, renew, and revoke certificates for that domain. First, the agent proves to the CA that the web server controls a domain. To understand how the technology works, let’s walk through the process of setting up with a certificate management agent that supports Let’s Encrypt. This is accomplished by running a certificate management agent on the web server. ![]() The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
June 2023
Categories |