How Does A nonprofit Certificate Authority (Let's Encrypt) provide TLS certificates to 300 million websites

2023-09-22

How Does A nonprofit Certificate Authority (Let’s Encrypt) provide TLS certificates to 300 million websites

The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.

Encrypt validates domain ownership using challenges:

Server Administrator Identification:

  1. Let’s Encrypt identifies the server administrator through a public key.
  2. When the agent software first interacts with Let’s Encrypt, it generates a new key pair and demonstrates control over one or more domains

Challenge Issuance:

  1. To begin the validation process, the agent queries Let’s Encrypt about the steps required to prove control over a specific domain (e.g., oluchiorji.com).
  2. Let’s Encrypt responds by issuing one or more sets of challenges, which are methods for proving domain control.
    Examples of challenges include provisioning a DNS record under the domain or creating an HTTP resource at a well-known URI on the domain ( http://oluchiorji.com/).

Nonce and Key Pair Verification:

  1. Alongside the challenges, Let’s Encrypt provides a nonce that the agent must sign with its private key pair to demonstrate ownership.

Completing Challenges:

  1. The agent software fulfills one of the challenge sets, such as creating a file on a specified path on the domain’s website.
  2. The agent also signs the provided nonce with its private key.

Validation Notification:

Once the agent successfully completes the challenges, it informs Let’s Encrypt that it is ready to finalize the validation process.

CA Verification

Let’s Encrypt’s CA validates the challenges by:

  1. Verifying the signature on the nonce to confirm ownership of the private key pair.
  2. Attempting to download the file from the web server and verifying its content matches expectations.
    This process ensures that the server administrator has control over the domain, establishing trust and enabling Let’s Encrypt to issue SSL/TLS certificates for secure communication.

Certificate Issuance

Once the agent has an authorized key pair, requesting, renewing, and revoking certificates is easy.

To obtain a certificate, the agent creates a PKCS#10 Certificate Signing Request (CSR).

A PKCS#10 Certificate Signing Request (CSR) is a standardized format for requesting the issuance of a digital certificate, typically an SSL/TLS certificate, from a Certificate Authority (CA) or a Certificate Signing Authority. A CSR contains essential information about the entity or individual requesting the certificate and the public key that will be included in the certificate. Here are the key components and details typically found in a PKCS#10 CSR:

Subject Information: This includes details about the entity or individual for whom the certificate is being requested. Common fields include:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
- Common Name (CN): The fully qualified domain name (FQDN) of the entity or server (e.g., www.example.com).
- Organization (O): The legal name of the organization.
- Organizational Unit (OU): A specific organizational unit within the organization.
- Locality (L): The locality or city where the entity is located.
- State/Province (ST): The state or province where the entity is located.
- Country (C): The two-letter country code.
- Public Key: The CSR includes the public key that corresponds to the private key held by the entity or server. The CA uses this public key to create the digital certificate.

- Key Algorithm: Specifies the cryptographic algorithm used for the public key (e.g., RSA, ECC).

- Signature Algorithm: Indicates the cryptographic algorithm used to sign the CSR itself (e.g., SHA-256 with RSA).

- Extensions: Optional additional information or extensions that may be included in the CSR, such as subject alternative names (SANs) that allow a single certificate to cover multiple domains or hostnames.

- A Unique Identifier (Optional): Some CAs may require or allow the inclusion of a unique identifier for the CSR.

- Signature: The CSR is signed with the private key corresponding to the public key included in the request. This signature ensures the authenticity and integrity of the CSR.

Creating a PKCS#10 Certificate Signing Request (CSR) via the command line or shell can be done using various tools, but one common tool is OpenSSL.

  1. Generate a Private Key:
1
openssl genpkey -algorithm RSA -out <my-server>.key
  1. Create a CSR:
1
2
openssl req -new -key <my-server>.key -out <my-server>.csr

  1. Review and Verify the CSR:
1
openssl req -in <my-server>.csr -noout -text