Lead Image © Stuart Miles, 123RF.com

Lead Image © Stuart Miles, 123RF.com

Obtain certificates with acme.sh

Simply Certified

Article from ADMIN 65/2021
By
We take a close look at acme.sh, a lightweight client for the ACME protocol that facilitates digital certificates for secure TLS communication channels.

The Automatic Certificate Management Environment (ACME) protocol is mostly mentioned in connection with the Let's Encrypt certification authority because it can be used to facilitate the process of issuing digital certificates for TLS encryption. In the meantime, more and more systems have started to support ACME.

Data transmitted on the Internet ideally should be encrypted. The Let's Encrypt organization [1] has played a significant role in making this good idea a reality. Until a few years ago, obtaining an X.509 certificate was a fairly complex process, but this workflow has been greatly simplified by the Let's Encrypt certification authority in combination with the ACME protocol. Anyone can now obtain a certificate for their own web service – or even other services – to ensure secure TLS communication channels.

Basically, two components are indispensable when using ACME: an ACME server and an ACME client. The protocol requires the client to prove that it has control over the domain for which the server is to issue a certificate. If the client can provide evidence, the server issues what is known as a Domain Validated Certificate (DV) and sends it to the client. Unlike the Organization Validation (OV) or Extended Validation (EV) certificate types, for example, no validation of the applicant is necessary, so the conditions are ideal for automating the process from application through the issuing of the certificate.

Different Challenge Types

The client proves control over a domain when it responds appropriately to a challenge sent by the server. The HTTP-01 and DNS-01 challenges have been part of the ACME protocol from the outset and are therefore documented in RFC8555 [2]; the TLS-ALPN-01 challenge was only added last year as an extension to the protocol. This challenge

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Windows security with public key infrastructures
    A rarely used feature for improving security in Windows environments relies on certificates issued for various applications, services, and procedures that is based on a public key infrastructure.
  • Microsoft Network Policy Server
    Redmond's RADIUS implementation connects systems and provides secure authorization and logging.
  • Harden your Apache web server
    Cyberattacks don't stop at the time-honored Apache HTTP server, but a smart configuration, timely updates, and carefully considered security strategies can keep it from going under.
  • Secure authentication with FIDO2
    The FIDO and FIDO2 standard supports passwordless authentication. We discuss the requirements for the use of FIDO2 and show a sample implementation for a web service.
  • Attacks on HTTPS Connections
    HTTPS protects a connection from both tapping and manipulation, but only if a man in the middle hasn't already infiltrated the Internet connection. We highlight the weaknesses in HTTPS and demonstrate how to protect your client and server.
comments powered by Disqus