Let’s Encrypt, the non-profit Certificate Authority run by the Internet Security Research Group went into a public beta last fall and general availability this past April. Since then they have already issued over five million certificates making them one of the largest CAs on the planet. Akamai makes it easy to use an LE cert on your customer facing site, but what is involved in obtaining a certificate for your origin or your home site? See a live demo of requesting, validating, and installing a Let’s Encrypt cert. For the remaining 59 minutes we will discuss the ACME protocol which is the API that powers Let’s Encrypt, tools that are available to obtain and managed you certificate, and libraries that make it easy for you to write your own tools.

1. © AKAMAI - EDGE 2016
ACME – Let’s Encrypt Your Origin
Stephen Ludin – Chief Architect, Akamai – BoD, ISRG

2. © AKAMAI - EDGE 2016
A PKI Primer

3. © AKAMAI - EDGE 2016
Our cast of characters
Alice Bob Eve

4. © AKAMAI - EDGE 2016
A little ditty about Alice and Bob
All Alice and Bob want
to do is peacefully
pass notes in class
without interference
from Eve.

5. © AKAMAI - EDGE 2016
U R
Sweet
e1bf4
190ce
U R
Sweet
e1bf4
190ce
???

6. © AKAMAI - EDGE 2016
U R
Sweet
692ha
1ac43
U R
Sweet
e1bf4
190ce
U
Smell

7. © AKAMAI - EDGE 2016
We have not solved ANYTHING!

8. © AKAMAI - EDGE 2016
How does Bob know this really
IS Alice’s public key?

9. © AKAMAI - EDGE 2016
Enter, Carol Carol’s job is simple:
• Get Alice’s public key
• Verify that it really is Alice
• Sign Alice’s public key saying
“This really is Alice”
• Give her (Carol’s) public key to
Bob

10. © AKAMAI - EDGE 2016
X

11. © AKAMAI - EDGE 2016

12. © AKAMAI - EDGE 2016
Free
Automatic
Secure
Transparent
Open
Cooperative

13. © AKAMAI - EDGE 2016
TLS Everywhere

14. © AKAMAI - EDGE 2016
Over 10,000,000 active certificates
Over 13,500,000 active domains

15. © AKAMAI - EDGE 2016

16. © AKAMAI - EDGE 2016

17. © AKAMAI - EDGE 2016
Demo

18. © AKAMAI - EDGE 2016
Yes, It’s that easy
(mostly)

19. © AKAMAI - EDGE 2016
Create
Key Pair
Create
Signed
CSR
Send
CSR
To CA
Validate
CA
Creates/
Signs
Cert
Install
Cert

20. © AKAMAI - EDGE 2016
For many of us…
certbot

21. © AKAMAI - EDGE 2016
Where certbot excels
A small infrastructure
• Single webserver for example
Can run certbot on the machine that needs the key
Are running a supported webserver
Designed to be fully automated with little knowledge required

22. © AKAMAI - EDGE 2016
“But, that’s not me!”

23. © AKAMAI - EDGE 2016
(and that’s why you are here)

24. © AKAMAI - EDGE 2016
The Voodoo Behind
Let’s Encrypt

25. © AKAMAI - EDGE 2016
ACME
Automated Certificate
Management Environment

26. © AKAMAI - EDGE 2016
“…a protocol for automating the
management of domain-validation
certificates, based on a simple JSON-
over-HTTPS interface.”

27. © AKAMAI - EDGE 2016
REST

28. © AKAMAI - EDGE 2016
Something for Everyone
45 Clients
14 Libraries
10 Languages

29. © AKAMAI - EDGE 2016
Protocol::ACME

30. © AKAMAI - EDGE 2016

31. © AKAMAI - EDGE 2016
A few notes…

32. © AKAMAI - EDGE 2016
Staging versus Production
acme-staging.api.letsencrypt.org
acme-v01.api.letsencrypt.org
No Rate Limits
“Fake” Root
Rate Limits
True Root

33. © AKAMAI - EDGE 2016
JWS / Nonce
Everything is Protected with JWS and Nonces:
"header": { "alg":"RS256", "jwk": { "e":"AQAB", "kty":"RSA", "n":"<n> } },
"payload" : <payload>,
"protected": <protected_header>,
"signature": <sig>

34. © AKAMAI - EDGE 2016
Account Key – Your ID
$ openssl genrsa –out account_key.pem 2048

35. © AKAMAI - EDGE 2016
Let’s Code

36. © AKAMAI - EDGE 2016
Getting Started
perl
my $acme = Protocol::ACME->new( host => $le_host,
account_key => $key,
mailto => $email );
REST

37. © AKAMAI - EDGE 2016
directory - Get a list of REST end points
perl
$acme->directory();
REST
GET: https://<host>/directory

38. © AKAMAI - EDGE 2016
reg / new-reg – Lookup or register account key
perl
$acme->register();
REST
POST: https://<host>/acme/new-reg
JWS( mailto: <your email> )

39. © AKAMAI - EDGE 2016
Accept Terms of Service
perl
$acme->accept_tos();
REST
POST: https://<host>/acme/reg/ID
JWS ( “agreement”: “<TOS URL>” )

40. © AKAMAI - EDGE 2016
authz – Request a validation challenge
perl
$acme->authz( $domain );
REST
POST: https://<host>/acme/reg/ID
JWS ( identifier: { type => DNS, value = <domain> } )

41. © AKAMAI - EDGE 2016
Challenges
dns-01: Add a specific TXT record to DNS
tls-sni-01: Provision a specific certificate at the domain
http-01: Place a specific object a the domain

42. © AKAMAI - EDGE 2016
Challenges
Protocol::ACME helps with Challenge automation:
• Protocol::ACME::Challenge::SimpleSSH
• Protocol::ACME::Challenge::LocalFile
• Protocol::ACME::Challenge::Manual
my $challenge =
Protocol::ACME::Challenge::SimpleSSH->new(
{ ssh_host => <my_host>, www_root => ”/opt/local/www/htdocs” } )

43. © AKAMAI - EDGE 2016
Handle Challenges
perl
$acme->handle_challenge( $challenge );
REST
Follow instructions to do it by hand

44. © AKAMAI - EDGE 2016
Check challenges
perl
$acme->check_challenge();
REST
POST https://<host>/<challenge_id>
JWS( keyAuthorization: token + fingerprint )

45. © AKAMAI - EDGE 2016
new-cert: Submit the CSR and get the certificate
perl
my $cert = $acme->sign( $csr );
REST
POST https://<host>/new-cert
JWS( csr: <DER encoded CSR> )

46. © AKAMAI - EDGE 2016
The whole thing…
my $acme = Protocol::ACME->new( host => $le_host,
account_key => $key,
mailto => $email );
$acme->directory();
$acme->register();
$acme->accept_tos();
$acme->authz( $domain );
$acme->handle_challenge( $challenge );
$acme->check_challenge();
my $cert = $acme->sign( $csr );

47. © AKAMAI - EDGE 2016
Install your Certificate

48. © AKAMAI - EDGE 2016
Renew

49. © AKAMAI - EDGE 2016
Questions?