Let’s get a curve!

The curve

which openssl
openssl version #1.1.1g or 3.0.0-dev
openssl ecparam -list_curves

mainly those two are supported by average clients

  secp384r1 : NIST/SECG curve over a 384 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field

so let’s proceed with the supposedly fastest one

cd /etc/ssl/
domain=DOMAIN.TLD

#openssl ecparam -genkey -name prime256v1 | openssl ec -out $domain.key
openssl ecparam -genkey -name prime256v1 > $domain.key
ls -lhF $domain.key
chmod 400 $domain.key

CSR

netbsd does not have any .cnf by default

cp -i /usr/local/ssl/openssl.cnf.dist /usr/local/ssl/openssl.cnf
vi /usr/local/ssl/openssl.cnf

anyways take the chance to tune it on ubuntu

cp -pi /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist
vi /etc/ssl/openssl.cnf

[ req_distinguished_name ]
countryName_default             = FR
#stateOrProvinceName_default     = 
localityName_default            = Paris 
#0.organizationName_default     = Internet Widgits Pty Ltd
emailAddress_default            = pbraun@nethence.com

openssl req -new -sha256 -key $domain.key -out $domain.csr -config /etc/ssl/openssl.cnf
ls -lhF *.csr

TODO add CN=$domain as part of the command line for csr generation

Dehydrated

git clone https://github.com/lukas2511/dehydrated.git

ls -lhF /usr/local/bin/dehydrated #noexist
cp dehydrated/dehydrated /usr/local/bin/
dehydrated -h

mkdir -p /etc/dehydrated/
cp -i dehydrated/docs/examples/config /etc/dehydrated/config.sample
vi /etc/dehydrated/config # new file

IP_VERSION=4
CA="https://acme-v02.api.letsencrypt.org/directory"
CHALLENGETYPE="http-01"
WELLKNOWN="/var/www/dehydrated"
#WELLKNOWN="/var/www/html/.well-known/acme-challenge"

prepare the shared folder for HTTP-01 challenges

mkdir -p /var/www/dehydrated/
echo ok > /var/www/dehydrated/ok.txt
#mkdir -p /var/www/html/.well-known/acme-challenge/
#echo ok > /var/www/html/.well-known/acme-challenge/ok.txt

#vi /etc/nginx/sites-enabled/$domain.conf
vi /usr/local/nginx/conf/nginx.conf

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    #trailing slash matters
    alias /var/www/dehydrated/;
}

check remotely that you are well known on the clear-text web…

curl -si http://$domain/.well-known/acme-challenge/ok.txt

accept the terms and attempt to get your CSR signed

cd /etc/ssl/

dehydrated --register --accept-terms
find /etc/dehydrated/accounts/

dehydrated --signcsr $domain.csr --full-chain > $domain.crt

notice there are both certs in there, including the intermediate at the end, and check

cat $domain.crt
openssl x509 -in $domain.crt -noout -text | less

Moar

look at the CA Issuers field and obtain the intermediate certificate

wget -O lex3.der cert.int-x3.letsencrypt.org
openssl x509 -in lex3.der -inform der -noout -text | less
openssl x509 -in lex3.der -inform der -out lex3.crt -outform pem

draft but optional

#wget http://apps.identrust.com/roots/dstrootcax3.p7c
#openssl pkcs7 -print_certs -in dstrootcax3.p7c -out dstrootcax3.crt

Automation

It’s fast and simple. Fill-in the domains you’re hosting

vi /etc/dehydrated/domains.txt

FQDN1
FQDN2

and simply run the thing in a cron job

crontab -e

30 3 * * 0 /usr/local/bin/dehydrated --cron --keep-going --algo prime256v1
#--force

or (DON’T FORGET TO RELOAD THE DAEMONS)

vi /etc/cron.weekly/dehydrated

/usr/local/bin/dehydrated --cron --keep-going --algo prime256v1 && /usr/local/sbin/nginx -s reload

Resources

Upcoming Features https://letsencrypt.org/upcoming-features/

Documentation https://www.ssllabs.com/projects/documentation/index.html

SSL Labs Known Issues https://discussions.qualys.com/docs/DOC-4865

curves

Testing out ECDSA certificates https://scotthelme.co.uk/ecdsa-certificates/

Howto obtain ECDSA cert (in addition to RSA) with certbot? https://community.letsencrypt.org/t/howto-obtain-ecdsa-cert-in-addition-to-rsa-with-certbot/61687/3

Obtaining an Elliptic Curve certificate from Let’s Encrypt https://dev.to/benjaminblack/obtaining-an-elliptic-curve-dsa-certificate-with-lets-encrypt-51bc

How to obtain an ECDSA wildcard certificate from Let’s Encrypt https://medium.com/@benjamin.black/how-to-obtain-an-ecdsa-wildcard-certificate-from-lets-encrypt-be217c737cfe

Using ECDSA certificates with Let’s Encrypt https://www.ericlight.com/using-ecdsa-certificates-with-lets-encrypt

dehydrated

Dehydrated: a bash client for Let’s Encrypt https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/

WELLKNOWN https://github.com/lukas2511/dehydrated/blob/master/docs/wellknown.md

WELLKNOWN documentation gives conflicting statements #193 https://github.com/lukas2511/dehydrated/issues/193

Dehydrated и Let’s Encrypt https://sysadmin.pm/dehydrated-letsencrypt/

I can not renew a certificate (dehydrated) https://community.letsencrypt.org/t/i-can-not-renew-a-certificate-dehydrated/77487

other acme

ACME Client Implementations https://letsencrypt.org/docs/client-options/

ACMEv2 client written in plain C code with minimal dependencies https://github.com/ndilieto/uacme/

A pure Unix shell script implementing ACME client protocol https://acme.sh https://github.com/Neilpang/acme.sh

Testing TLS/SSL encryption https://testssl.sh/

rfcs

Algorithms and Identifiers https://tools.ietf.org/html/rfc3279

moar

DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

How to convert a certificate into the appropriate format https://knowledge.digicert.com/solution/SO26449.html


HOME | GUIDES | BENCHMARKS | html