Internet Security Research Group originally developed an Automated Certificate Management Environment (ACME) protocol for their Public CA, Let’s Encrypt. ACME is what drives Let’s Encrypt’s entire business model, which allows them to issue 90-day, domain validated SSL certificates, which can be renewed and replaced without the website owner’s intervention.

The objective is to set up an HTTPS server that will automatically obtain trusted certificates without any human intervention.

Table of Contents

Overview

IETF developed an Automated Certificate Management Environment (ACME) for Automatic Certificate Management. ACME protocol provides an efficient way to validate that a certificate requester is authorized for the requested domain and automatically installs the certificates.

This validation is performed by requiring the requester to place a random string (provided by the CA or certificate manager) on the server for verification via HTTP or in a text record of the server’s Domain Name System (DNS) entry. Client programs, such as Certbot, can automatically perform all of the operations needed to request a certificate—minimizing the manual work. Let’s Encrypt, and several other public CAs support public-facing certificates’ automated management by using the ACME protocol. However, public CAs cannot perform ACME validation for certificates installed on systems inside organizational networks. External entities cannot make HTTP or DNS connections to internal systems. The certificate manager can make internal HTTP and DNS connections and be used for ACME-based certificate management on internal networks. A variety of CAs, certificate managers, and clients across a broad set of TLS servers and operating systems support the ACME protocol, which gives it an advantage. A disadvantage of ACME is that there is no primary method for triggering a certificate replacement in response to a certificate event (e.g., CA compromise).

ACME defines an extensible framework for automating the issuance and validation process of these certificates. The servers are allowed to obtain certificates without any human intervention.

ACME Protocol Model

ACME uses HTTPS as a transport for JavaScript Object Notation (JSON) Web Signature (JWS) objects. These are also called REST API.

ACME servers run on Certificate Authorities (CA) and respond to the client’s action if they are authorized. The client uses ACME protocol to request certificate management actions. ACME Clients are represented by “account key pairs.” A private key is used to sign all messages to the server, and the ACME server uses public access to verify the authenticity of the messages and ensure integrity.

How ACME Protocol Works

Setting Up

An ACME server needs to be appropriately configured before it can receive requests and install certificates. Steps to set up ACME servers are:

  • Setting up a CA: ACME will be installed in a CA, so we would need to choose a CA on the domain we want ACME to be available.
    • Enter the domain where ACME will be installed
    • Choose on which CA it will be installed
  • Authorization
    • The client contacts the CA and generates an authorized key pair
    • CA issues DNS or HTTPS challenges that the client responds to and solves to prove authority and control.
    • CA also sends a nonce, a random number, which is signed using the client’s private key and sent back for verification to the CA.

This concludes the setting up of ACME. Post-installation, the automation would begin to work. There are a few steps that ACME takes:

  • Issuing/Renewing Certificates: ACME has the authority to issue or renew certificates to authorized users. At first, the client (or agent) generates a Certificate Signing Request (CSR), sent to the CA. The CSR is signed by the agent, which the CA can confirm is genuine and comes from the agent. The CA, after verification, issues the certificate for the domain and returns it to the agent.
    [DIAGRAM]
  • Revocation: Like the previous process, the agent signs a revocation request sent to the CA. The CA again confirms the request’s authenticity and then revokes the certificate, publishing on CRL, OCSP, etc., for the PKI infrastructure.

ACME Protocol Functions

ACME uses various URLs and resources for different management functions it can provide. Some functions include:

  • New Nonce
  • New Registration
  • New Application
  • New Authorization
  • Revoke Certificate
  • Key change

Advantages

ACME provides an automated way to give certificates and revoke them quickly, without human error. Apart from these, there are a few advantages to look out for…

  • ACME is free, which lets any domain owner get a trusted certificate at no cost.
  • As previously stated, the ACME automates the certificate lifecycle with no human error.
  • ACME can be used by anyone, which supports uniform protocols for all functions instead of separate APIs.
  • They are supported by open-source, which helps to impact the whole community and grow more impactful projects, enhancing security.
  • In case of a compromise, ACME can help quickly mitigate the issue, replace the old certificates with new ones, and switch to a new CA.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

When a user connects to a website via HTTPS, asymmetric encryption is used. For that to happen, the user uses the server’s public key to initiate the connection. To confirm the authenticity of that public key, certificates are used. The certificate will have details such as who does this certificate belong to, who issued it, a serial number, expiration date and the public key.
This can establish trust where the certificate and the key can be trusted and thereafter the communication between the user and the server is also trusted.

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

HTTPS, or Hypertext Transfer Protocol Secure, is the secure version of HTTP, which is the only primary protocol browsers use to connect to web servers and display web pages to users. HTTPS uses asymmetric encryption to secure the data in transport between the web server and client.

HTTPS is more favorable where privacy is more relevant. These can be situations where we are making online transactions, logging into our bank, or other tasks that would include the usage of sensitive documents.

Websites with an ability to log in or which contains sensitive information should use HTTPS instead of HTTP. Modern browsers such as Chrome, Firefox do not even let users enter a website without HTTPS enabled. If a user tried to open such a website, it might be flagged or warned to the user, or the browser would not let the user open such a website at all.

A green padlock, or simply a padlock, is shown, which signifies the usage of HTTPS. If the website is not using any, it would be flagged, and users may not be able to access such websites.

How HTTPS works?

HTTPS uses Transport Layer Security (TLS)/SSL protocol to encrypt communication between the client and the server. This protocol uses asymmetric encryption to encrypt those communications, which creates private and public keys to secure the communication.

The private key is kept on the server itself and is not shared or visible to unauthorized users. The private key is used to decrypt communication that was encrypted using the public key.

The public key is distributed and available to anyone willing to connect to the server. Information encrypted by the public key can be decrypted only by the private key and vice versa. The public key is also attached to the SSL/TLS certificate so that anyone can confirm the authenticity of the public key and the server they are connecting to.

Why is HTTPS important?

HTTPS provides encryption to the communication between a server and a client. If HTTPS was absent, a malicious user could view the messages being exchanged, which can contain credentials, bank information, or other sensitive data, which can lead to privacy issues or fraud. This data can be easily sniffed using freely available software. This insecure connection can make communication a lot harder in public Wi-Fi or even in-home networks where a sniffer can collect your bank information and other sensitive information, which can cause a catastrophe.

Apart from being vulnerable to MITM attacks, HTTP can also allow intermediaries, such as ISP, to inject content without any approvals. These injections can be in the form of ads or spam, which can harm the experience. HTTPS eliminates the ability to inject content or any other information to the website and protects against attacks such as MITM.

HTTP vs HTTPS

HTTP and HTTPS are not inherently built differently. Both of these protocols are used to display webpages. The only big difference is the encryption used in HTTPS, which is done via TLS/SSL encryption over HTTP. HTTPS also use certificates to ensure the authenticity of the server and also confirms the ownership of the public key that would be used to encrypt the communication.

When the client connects to the server, an SSL certificate is exchanged, containing the public key and other parameters needed for the communication. The client and the server go through an SSL handshake to establish secure communication.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk