IETF ACME Approved - This is the standard for working with SSL certificates.
The IETF approved the Automatic Certificate Management Environment (ACME) standard , which will help automate the acquisition of SSL certificates. Let's tell how it works.
/ Flickr / cliff johnson / cc by-sa
On average, an administrator can spend from one to three hours to set up an SSL certificate for a domain. If you make a mistake, you will have to wait until the application is rejected, only after that it can be submitted again. All this makes it difficult to deploy large-scale systems.
')
The domain validation procedure for each certification center may differ. Lack of standardization sometimes leads to security problems. There is a known case where, due to a bug in the system, one CA verified all the claimed domains. In such situations, SSL certificates can be issued to fraudulent resources.
The IETF-approved ACME protocol ( RFC8555 specification) should automate and standardize the process of obtaining a certificate. And the exclusion of the human factor will help improve the reliability and security of verification of a domain name.
The standard is open, and everyone can contribute to its development. Relevant instructions are published in the GitHub repository .
The exchange of requests in ACME takes place over HTTPS using JSON messages. To work with the protocol, you need to install an ACME client on the target node; it generates a unique key pair when you first access the CA. Subsequently, they will be used to sign on all client and server messages.
The first message contains contact information about the owner of the domain. It is signed by the private key and sent to the server along with the public key. He verifies the authenticity of the signature and, if everything is in order, begins the procedure for issuing an SSL certificate.
To obtain a certificate, the client must prove to the server that the domain is owned. For this, he performs certain actions that are available only to the owner. For example, a certificate authority can generate a unique token and ask the client to place it on the site. Next, the CA generates a web or DNS request to extract the key from this token.
For example, in the case of HTTP, the key from the token must be placed in a file that will be served by the web server. With DNS verification, the certification center will look for a unique key in the text document of the DNS record. If everything is in order, the server confirms that the client has been validated and the CA issues a certificate.
/ Flickr / Blondinrikard Fröberg / CC BY
According to the IETF, ACME will be useful for administrators who have to work with several domain names. The standard will help to connect each of them with the necessary SSL.
Among the advantages of the standard, experts also note several security mechanisms . They must ensure that SSL certificates are issued only to the actual owners of the domains. In particular, a set of DNSSEC extensions is used to protect against DNS attacks, and to protect against DoS, the standard limits the speed of execution of individual requests - for example, HTTP for the POST method. ACME developers themselves recommend adding entropy to DNS queries for increased security and running them from several network points.
SCEP and EST are also used to obtain certificates.
The first was developed by Cisco Systems. His goal was to simplify the procedure for issuing X.509 digital certificates and make it as scalable as possible. Before the advent of SCEP, this process required the active participation of system administrators and did not scale well. Today this protocol is one of the most common.
As for EST, it allows PKI-clients to receive certificates through secure channels. It applies TLS for message passing and SSL release, as well as for binding the CSR to the sender. In addition, EST supports elliptical cryptography methods, which creates an additional level of protection.
According to experts , solutions like ACME should be more widely used. They offer a simplified and secure SSL setup model and speed up the process.
/ Flickr / cliff johnson / cc by-sa
Why did you need a standard
On average, an administrator can spend from one to three hours to set up an SSL certificate for a domain. If you make a mistake, you will have to wait until the application is rejected, only after that it can be submitted again. All this makes it difficult to deploy large-scale systems.
')
The domain validation procedure for each certification center may differ. Lack of standardization sometimes leads to security problems. There is a known case where, due to a bug in the system, one CA verified all the claimed domains. In such situations, SSL certificates can be issued to fraudulent resources.
The IETF-approved ACME protocol ( RFC8555 specification) should automate and standardize the process of obtaining a certificate. And the exclusion of the human factor will help improve the reliability and security of verification of a domain name.
The standard is open, and everyone can contribute to its development. Relevant instructions are published in the GitHub repository .
How it works
The exchange of requests in ACME takes place over HTTPS using JSON messages. To work with the protocol, you need to install an ACME client on the target node; it generates a unique key pair when you first access the CA. Subsequently, they will be used to sign on all client and server messages.
The first message contains contact information about the owner of the domain. It is signed by the private key and sent to the server along with the public key. He verifies the authenticity of the signature and, if everything is in order, begins the procedure for issuing an SSL certificate.
To obtain a certificate, the client must prove to the server that the domain is owned. For this, he performs certain actions that are available only to the owner. For example, a certificate authority can generate a unique token and ask the client to place it on the site. Next, the CA generates a web or DNS request to extract the key from this token.
For example, in the case of HTTP, the key from the token must be placed in a file that will be served by the web server. With DNS verification, the certification center will look for a unique key in the text document of the DNS record. If everything is in order, the server confirms that the client has been validated and the CA issues a certificate.
/ Flickr / Blondinrikard Fröberg / CC BY
Opinions
According to the IETF, ACME will be useful for administrators who have to work with several domain names. The standard will help to connect each of them with the necessary SSL.
Among the advantages of the standard, experts also note several security mechanisms . They must ensure that SSL certificates are issued only to the actual owners of the domains. In particular, a set of DNSSEC extensions is used to protect against DNS attacks, and to protect against DoS, the standard limits the speed of execution of individual requests - for example, HTTP for the POST method. ACME developers themselves recommend adding entropy to DNS queries for increased security and running them from several network points.
Similar solutions
SCEP and EST are also used to obtain certificates.
The first was developed by Cisco Systems. His goal was to simplify the procedure for issuing X.509 digital certificates and make it as scalable as possible. Before the advent of SCEP, this process required the active participation of system administrators and did not scale well. Today this protocol is one of the most common.
As for EST, it allows PKI-clients to receive certificates through secure channels. It applies TLS for message passing and SSL release, as well as for binding the CSR to the sender. In addition, EST supports elliptical cryptography methods, which creates an additional level of protection.
According to experts , solutions like ACME should be more widely used. They offer a simplified and secure SSL setup model and speed up the process.
Additional posts from our corporate blog:
Source: https://habr.com/ru/post/444986/
All Articles