edge 2016 acme - lets encrypt your origin
Post on 08-Jan-2017
30 Views
Preview:
TRANSCRIPT
© AKAMAI - EDGE 2016
ACME – Let’s Encrypt Your OriginStephen Ludin – Chief Architect, Akamai – BoD, ISRG
© AKAMAI - EDGE 2016
A PKI Primer
© AKAMAI - EDGE 2016
Our cast of characters
Alice Bob Eve
© AKAMAI - EDGE 2016
A little ditty about Alice and Bob
All Alice and Bob want to do is peacefully pass notes in class without interference
from Eve.
© AKAMAI - EDGE 2016
U R Sweete1bf4190ce
U RSweet
e1bf4190ce ???
© AKAMAI - EDGE 2016
U RSweet692ha1ac43
U RSweet
e1bf4190ce
U Smell
© AKAMAI - EDGE 2016
We have not solved ANYTHING!
© AKAMAI - EDGE 2016
How does Bob know this reallyIS Alice’s public key?
© AKAMAI - EDGE 2016
Enter, Carol Carol’s job is simple:
• Get Alice’s public key
• Verify that it really is Alice
• Sign Alice’s public key saying “This really is Alice”
• Give her (Carol’s) public key to Bob
© AKAMAI - EDGE 2016
X
© AKAMAI - EDGE 2016
© AKAMAI - EDGE 2016
FreeAutomatic
SecureTransparent
OpenCooperative
© AKAMAI - EDGE 2016
TLS Everywhere
© AKAMAI - EDGE 2016
Over 10,000,000 active certificatesOver 13,500,000 active domains
© AKAMAI - EDGE 2016
© AKAMAI - EDGE 2016
© AKAMAI - EDGE 2016
Demo
© AKAMAI - EDGE 2016
Yes, It’s that easy(mostly)
© AKAMAI - EDGE 2016
CreateKey Pair
CreateSignedCSR
Send CSR
To CAValidate
CACreates/
Signs Cert
Install Cert
© AKAMAI - EDGE 2016
For many of us…
certbot
© AKAMAI - EDGE 2016
Where certbot excels
A small infrastructure• Single webserver for example
Can run certbot on the machine that needs the keyAre running a supported webserverDesigned to be fully automated with little knowledge required
© AKAMAI - EDGE 2016
“But, that’s not me!”
© AKAMAI - EDGE 2016
(and that’s why you are here)
© AKAMAI - EDGE 2016
The Voodoo BehindLet’s Encrypt
© AKAMAI - EDGE 2016
ACMEAutomated Certificate
Management Environment
© AKAMAI - EDGE 2016
“…a protocol for automating the management of domain-validation
certificates, based on a simple JSON-over-HTTPS interface.”
© AKAMAI - EDGE 2016
REST
© AKAMAI - EDGE 2016
Something for Everyone
45 Clients14 Libraries
10 Languages
© AKAMAI - EDGE 2016
Protocol::ACME
© AKAMAI - EDGE 2016
© AKAMAI - EDGE 2016
A few notes…
© AKAMAI - EDGE 2016
Staging versus Production
acme-staging.api.letsencrypt.org
acme-v01.api.letsencrypt.org
No Rate Limits“Fake” Root
Rate LimitsTrue Root
© AKAMAI - EDGE 2016
JWS / Nonce
Everything is Protected with JWS and Nonces:
"header": { "alg":"RS256", "jwk": { "e":"AQAB", "kty":"RSA", "n":"<n> } },"payload" : <payload>,"protected": <protected_header>,"signature": <sig>
© AKAMAI - EDGE 2016
Account Key – Your ID
$ openssl genrsa –out account_key.pem 2048
© AKAMAI - EDGE 2016
Let’s Code
© AKAMAI - EDGE 2016
Getting Started
perlmy $acme = Protocol::ACME->new( host => $le_host,
account_key => $key, mailto => $email );
REST
© AKAMAI - EDGE 2016
directory - Get a list of REST end points
perl$acme->directory();
RESTGET: https://<host>/directory
© AKAMAI - EDGE 2016
reg / new-reg – Lookup or register account key
perl$acme->register();
RESTPOST: https://<host>/acme/new-regJWS( mailto: <your email> )
© AKAMAI - EDGE 2016
Accept Terms of Service
perl$acme->accept_tos();
RESTPOST: https://<host>/acme/reg/IDJWS ( “agreement”: “<TOS URL>” )
© AKAMAI - EDGE 2016
authz – Request a validation challenge
perl$acme->authz( $domain );
RESTPOST: https://<host>/acme/reg/IDJWS ( identifier: { type => DNS, value = <domain> } )
© AKAMAI - EDGE 2016
Challenges
dns-01: Add a specific TXT record to DNS
tls-sni-01: Provision a specific certificate at the domain
http-01: Place a specific object a the domain
© AKAMAI - EDGE 2016
Challenges
Protocol::ACME helps with Challenge automation:• Protocol::ACME::Challenge::SimpleSSH• Protocol::ACME::Challenge::LocalFile• Protocol::ACME::Challenge::Manual
my $challenge = Protocol::ACME::Challenge::SimpleSSH->new(
{ ssh_host => <my_host>, www_root => ”/opt/local/www/htdocs” } )
© AKAMAI - EDGE 2016
Handle Challenges
perl$acme->handle_challenge( $challenge );
RESTFollow instructions to do it by hand
© AKAMAI - EDGE 2016
Check challenges
perl$acme->check_challenge();
RESTPOST https://<host>/<challenge_id>JWS( keyAuthorization: token + fingerprint )
© AKAMAI - EDGE 2016
new-cert: Submit the CSR and get the certificate
perlmy $cert = $acme->sign( $csr );
RESTPOST https://<host>/new-certJWS( csr: <DER encoded CSR> )
© AKAMAI - EDGE 2016
The whole thing…
my $acme = Protocol::ACME->new( host => $le_host,account_key => $key, mailto => $email );
$acme->directory();$acme->register();$acme->accept_tos();$acme->authz( $domain );$acme->handle_challenge( $challenge );$acme->check_challenge();my $cert = $acme->sign( $csr );
© AKAMAI - EDGE 2016
Install your Certificate
© AKAMAI - EDGE 2016
Renew
© AKAMAI - EDGE 2016
Questions?
top related