IETF approved Automatic Certificate Management Environment (ACME), which will help automate the receipt of SSL certificates. Let's tell you how it works.
/flickr/ /
Why was the standard needed?
Average per setting for a domain, an administrator can spend from one to three hours. If you make a mistake, you will have to wait until the application is rejected, only after that it can be submitted again. All this makes it difficult to deploy large-scale systems.
The domain validation procedure may differ for each certification authority. Lack of standardization sometimes leads to security problems. Famous when, due to a bug in the system, one CA verified all declared domains. In such situations, SSL certificates can be issued to fraudulent resources.
IETF-approved ACME protocol (specification ) should automate and standardize the process of obtaining a certificate. And eliminating the human factor will help increase the reliability and security of domain name verification.
The standard is open and anyone can contribute to its development. IN instructions have been published.
How it works
Requests in ACME are exchanged over HTTPS using JSON messages. To work with the protocol, you need to install an ACME client on the target node; it generates a unique key pair the first time it accesses the CA. Subsequently, they will be used to sign all client and server messages.
The first message contains contact information about the owner of the domain. It is signed with the private key and sent to the server along with the public key. It checks the authenticity of the signature and, if everything is in order, starts the procedure for issuing an SSL certificate.
To obtain a certificate, the client must prove to the server that it owns the domain. To do this, he performs certain actions that are available only to the owner. For example, a certificate authority can generate a unique token and ask the client to place it on the site. Next, the CA generates a web or DNS query to extract the key from this token.
For example, in the case of HTTP, the key from the token must be placed in a file that will be served by the web server. During DNS verification, the certification authority will look for a unique key in the text document of the DNS record. If everything is in order, the server confirms that the client has been validated and the CA issues a certificate.
/flickr/ /
Opinions
On IETF, ACME will be useful for administrators who have to work with multiple domain names. The standard will help associate each of them with the desired SSL.
Among the advantages of the standard, experts also note several . They must ensure that SSL certificates are only issued to the real registrants. In particular, a set of extensions is used to protect against DNS attacks. , and to protect against DoS, the standard limits the speed of execution of individual requests - for example, HTTP for the method . The ACME developers themselves to increase security, add entropy to DNS queries and execute them from several points in the network.
Similar Solutions
Protocols are also used to obtain certificates. ΠΈ .
The first one was developed by Cisco Systems. Its goal was to simplify the procedure for issuing X.509 digital certificates and make it as scalable as possible. Before the advent of SCEP, this process required the active participation of system administrators and did not scale well. Today, this protocol is one of the most common.
As for EST, it allows PKI clients to obtain certificates over secure channels. It uses TLS for messaging and issuing SSL, as well as binding the CSR to the sender. In addition, EST supports elliptic cryptography methods, which creates an additional layer of protection.
On , solutions like ACME will need to be more widely adopted. They offer a simplified and secure SSL setup model and also speed up the process.
Additional posts from our corporate blog:
Source: habr.com