Advertisement
ACME and mod_md: tls certificates made easy
Aug. 8, 2021•0 likes•281 views
0 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Internet
ACME is a protocol for automating certificate lifecycle management communications between Certificate Authorities (CAs) and a company’s web servers. The most known implementation is the one made by Let’s Encrypt non-profit CA. There are many other implementation and one of the most attractive and easy to use is Apache httpd mod_md. During the talk I will explain why ACME protocol is important to secure web sites and how mod_md could ease the transition to a more secure www.
Giovanni BechisFollow
CEO and System Administrator at SnB, OpenBSD and Apache hackerAdvertisement
ACME and mod_md: tls certificates made easy
- TLS made easy Giovanni Bechis Apache Httpd PMC ACME and mod_md
- SSL, TLS and HTTPS • SSL is short for Secure Sockets Layer. It was released in 1995, it has been deprecated in 2015 in favor of TLS. • TLS is short for Transport Layer Security and can be seen as the successor of SSL. • HTTPS is short for Hypertext Transfer Protocol Secure, It can also be called “HTTP over TLS” or “HTTP over SSL ”.
- HTTPS certificates • DV - Domain Validated Certificates • OV - Organization Validated Certificates • EV - Extended Validated Certificates
- HTTPS certificates • Choose a Certificate Authority • Select the certificate you need • Purchase the certificate • Generate and submit a CSR (Certificate Signing Request) to the CA • Download the SSL certificate from the CA website and install it • Remember to renew the cert
- ACME Protocol ACME is a communications protocol for automating interactions between certificate authorities and their users' web servers.
- ACME Protocol
- Let’s Encrypt Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for TLS encryption at no charge. It uses ACME protocol to deploy certificates for free and it’s used by more than 265 million web sites.
- ACME clients • Certbot • acme.sh • OpenBSD acme-client(1) • win-acme • Apache httpd(8) mod_md
- mod_md features • Certificate request using ACME protocol • Automatic certificate renewal • Wildcard certificate support • Certificate status monitoring • Notifications when certificate is next to expire • OCSP stapling support
- mod_md configuration MDomain domain.tld MDCertificateAgreement accepted <VirtualHost *:443> ServerName domain.tld DocumentRoot /var/www/domain.tld SSLEngine on </VirtualHost>
- mod_md configuration $ ls /var/www/md accounts archive challenges domains httpd.json md_store.json ocsp staging tmp
- mod_md wildcard certificates To deploy wildcard certificates, ACME protocol asks you to create a TXT record in dns. MDChallengeDns01 /usr/bin/acme-setup-dns To deploy wildcard certificates, ACME protocol asks you to create a TXT record in dns. To deploy wildcard certificates, ACME protocol asks you to create a TXT record in dns. To deploy wildcard certificates, ACME protocol asks you to create a TXT record in dns.
- mod_md features ● MDRequireHttps Off|Temporary|Permanent ● MDRenewWindow 33% ● MDWarnWindow 10% ● MDPrivateKeys RSA 2048 ● MDContactEmail email@domain.tld ● MDStapleOthers On|Off
- OCSP Stapling MDStapling on MDStapling off
- mod_md monitoring $ curl https://dom.tld/.httpd/certificate-status { "valid": { "from": "Sun, 16 May 2021 14:47:06 GMT", "until": "Sat, 14 Aug 2021 14:47:06 GMT" }, ...
- mod_md monitoring { "when": "Wed, 19 Jun 2019 14:45:58 GMT", "type": "progress", "detail": "Retrieving certificate chain for test-901- 003-1560955549.org" },{ "when": "Wed, 19 Jun 2019 14:45:58 GMT", "type": "progress", "detail": "Waiting for finalized order to become valid" }
- mod_md monitoring MDNotifyCmd /usr/local/bin/md-notify MDMessageCmd /usr/local/bin/md-message
- THANK YOU QUESTIONS? @_gbechis giovannibechis gbechis@apache.org
Advertisement