March 23, 2019 at 18:48IETF Approves ACME - This is the Standard for Working with SSL Certificates
The IETF has approved the Automatic Certificate Management Environment (ACME) standard , which will help automate the receipt of SSL certificates. We’ll tell you how it works. / Flickr / Cliff Johnson / CC BY-SA
On average, an administrator can spend from one to three hours setting up an SSL certificate for a domain. If you make a mistake, you will have to wait until the application is rejected, only after that it can be submitted again. All this makes it difficult to deploy large-scale systems.
The domain validation procedure for each certification authority may vary. Lack of standardization sometimes leads to security problems. There is a known case when, due to a bug in the system, one CA verified all declared domains. In such situations, SSL certificates can be issued to fraudulent resources.
IETF Approved ACME Protocol ( RFC8555 Specification) should automate and standardize the process of obtaining a certificate. And the elimination of the human factor will help increase the reliability and security of domain name verification.
The standard is open, and everyone can contribute to its development. The GitHub repository has posted instructions.
Request exchange in ACME occurs over HTTPS using JSON messages. To work with the protocol, you need to install an ACME client on the target node, it generates a unique key pair when you first contact the CA. Subsequently, they will be used for signing on all client and server messages.
The first message contains contact information about the domain owner. It is signed with a private key and, together with the public key, is sent to the server. He verifies the authenticity of the signature and, if everything is in order, begins the process of issuing an SSL certificate.
To obtain a certificate, the client must prove to the server the fact of domain ownership. To do this, he performs certain actions that are available only to the owner. For example, a certification authority may generate a unique token and ask the client to post it on the site. Next, the CA generates a web or DNS query to retrieve the key from this token.
For example, in the case of HTTP, the key from the token must be placed in a file that will be served by the web server. During DNS verification, the certification center will look for a unique key in the text document of the DNS record. If everything is in order, the server confirms that the client has passed validation and the CA issues a certificate.
/ Flickr / Blondinrikard Fröberg / CC BY
According to the IETF, ACME will be useful for administrators who have to work with multiple domain names. The standard will help to connect each of them with the necessary SSL.
Among the advantages of the standard, experts also note several security mechanisms . They must ensure that SSL certificates are issued only to true domain owners. In particular, a set of DNSSEC extensions is used to protect against DNS attacks , and to protect against DoS, the standard limits the speed of individual requests — for example, HTTP for the POST method . ACME developers themselves recommend adding entropy to DNS queries and performing them from several points on the network to increase security.
SCEP and EST are also used to obtain certificates .
The first was developed at Cisco Systems. Its goal was to simplify the process of issuing digital certificates X.509 and make it as scalable as possible. Before SCEP, this process required the active participation of system administrators and did not scale well. Today, this protocol is one of the most common.
As for EST, it allows PKI clients to receive certificates over secure channels. It uses TLS to send messages and issue SSL, as well as to bind CSR to the sender. In addition, EST supports elliptical cryptography techniques, which creates an additional layer of protection.
According to experts, solutions like ACME will need to be more widely available. They offer a simplified and secure SSL configuration model and speed up the process.
Why did you need a standard
On average, an administrator can spend from one to three hours setting up an SSL certificate for a domain. If you make a mistake, you will have to wait until the application is rejected, only after that it can be submitted again. All this makes it difficult to deploy large-scale systems.
The domain validation procedure for each certification authority may vary. Lack of standardization sometimes leads to security problems. There is a known case when, due to a bug in the system, one CA verified all declared domains. In such situations, SSL certificates can be issued to fraudulent resources.
IETF Approved ACME Protocol ( RFC8555 Specification) should automate and standardize the process of obtaining a certificate. And the elimination of the human factor will help increase the reliability and security of domain name verification.
The standard is open, and everyone can contribute to its development. The GitHub repository has posted instructions.
How it works
Request exchange in ACME occurs over HTTPS using JSON messages. To work with the protocol, you need to install an ACME client on the target node, it generates a unique key pair when you first contact the CA. Subsequently, they will be used for signing on all client and server messages.
The first message contains contact information about the domain owner. It is signed with a private key and, together with the public key, is sent to the server. He verifies the authenticity of the signature and, if everything is in order, begins the process of issuing an SSL certificate.
To obtain a certificate, the client must prove to the server the fact of domain ownership. To do this, he performs certain actions that are available only to the owner. For example, a certification authority may generate a unique token and ask the client to post it on the site. Next, the CA generates a web or DNS query to retrieve the key from this token.
For example, in the case of HTTP, the key from the token must be placed in a file that will be served by the web server. During DNS verification, the certification center will look for a unique key in the text document of the DNS record. If everything is in order, the server confirms that the client has passed validation and the CA issues a certificate.
/ Flickr / Blondinrikard Fröberg / CC BY
Opinions
According to the IETF, ACME will be useful for administrators who have to work with multiple domain names. The standard will help to connect each of them with the necessary SSL.
Among the advantages of the standard, experts also note several security mechanisms . They must ensure that SSL certificates are issued only to true domain owners. In particular, a set of DNSSEC extensions is used to protect against DNS attacks , and to protect against DoS, the standard limits the speed of individual requests — for example, HTTP for the POST method . ACME developers themselves recommend adding entropy to DNS queries and performing them from several points on the network to increase security.
Similar solutions
SCEP and EST are also used to obtain certificates .
The first was developed at Cisco Systems. Its goal was to simplify the process of issuing digital certificates X.509 and make it as scalable as possible. Before SCEP, this process required the active participation of system administrators and did not scale well. Today, this protocol is one of the most common.
As for EST, it allows PKI clients to receive certificates over secure channels. It uses TLS to send messages and issue SSL, as well as to bind CSR to the sender. In addition, EST supports elliptical cryptography techniques, which creates an additional layer of protection.
According to experts, solutions like ACME will need to be more widely available. They offer a simplified and secure SSL configuration model and speed up the process.