SlideShare a Scribd company logo

Lets Encrypt!

Download as PPTX, PDF
Joerg Henning, profile picture
Joerg Henning

Let's Encrypt is a free, automated, and open certificate authority that aims to reduce barriers to secure internet communication. It allows users to generate SSL/TLS certificates at no cost by automating the key generation, certificate signing request, and domain verification processes. Certificates issued by Let's Encrypt are generally supported by modern browsers and operating systems. The service uses the ACME protocol for domain verification and has rate limits of 100 domains per certificate and 500 registrations per IP every 3 hours to prevent abuse.

Technology
1 of 14
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Let's Encrypt SSL Certificates without the pain
@joerghenning
SSL certificate orders/renewals so far Generate RSA key Generate CSR Log in to CA's web horrible interface Fill out certificate order form Pay a lot of money Verify domain
Let's Encrypt https://letsencrypt.org/ "free, automated, and open certificate authority (CA), run for the public’s benefit" [https://letsencrypt.org/about/] Provided by ISRG - Internet Security Research Group (California based Non-Profit) Sponsored by Mozilla, Akamai, Cisco, EFF, OVH, Facebook, Chrome, etc. Mission: reduce technological & financial barriers to secure internet communication
Lets Encrypt!
What does it do? Still with Key, CSR, Domain verification, get certificate It's automated It's free
How does it work? ● ACME protocol: https://ietf-wg-acme.github.io/acme/ ● Specifies mostly the process of domain verification ● What we need to know: https://letsencrypt.org/how-it-works/ ● Server admin is identified by key pair ● CA issues challenges to authorize key pair, e.g. ○ DNS record ○ File on server
Pitfalls User running letsencrypt must have write access to web server root Make sure dot-files are accessible Challenge path: https://my-domain.com/.well-known/acme- challenge/jd1o3ddZXTYbjwUHvRnQOECZToSY-BKxyd6LdFgjvOg server { listen 80; # don't do this location ~ ^/. { deny all; } }
Certificates ● Root CA: ISRG Root X1 ● Intermediates: ○ Let’s Encrypt Authority X1 (not widely supported yet) ○ Let’s Encrypt Authority X2 (recovery) ● Cross signed by IdenTrust (DST Root CA X3), widely supported ● Issues certs: https://www.certificate-transparency.org ● Searchable: https://crt.sh/
Client Support Yep: Android > 2.3.6 Firefox > 2.0, Firefox OS > 2.2 Windows: IE, Chrome Safari > 4.0, iOS > 3.1 Linux: Debian > 6, Ubuntu > 12.04, CentOS ? Quickly tested: Node.js, PHP Nope: Java as of jdk8u51 (applied for) Older Androids Windows XP Blackberry
Rate Limits According to https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769 Domains per certificate: 100 Certificates per domain: 5 certs/domain/week Registrations per IP: 500/3hrs For testing/development: use staging env (--test-cert, --staging) No limits on total number of certificates
Integrations Apache installer (haven't tried) Caddy Server Express middleware Fully automated SSL FTW!
Why should I use it? Less work - makes you happy It's free - makes your boss/client happy It's encrypted - makes your users safer It's automated - makes DevOps people happy
Limitations No love for: Windows XP Java No wildcards Only domain validated! i.e. 🔒https://paypal-service-evil-hackers.net

More Related Content

PPTX
ACME and Let's Encrypt: HTTPS made easy
Gabriell Nascimento
 
PPTX
Squirreling Away $640 Billion: How Stripe Leverages Flink for Change Data Cap...
Flink Forward
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PDF
Deploying Kafka Streams Applications with Docker and Kubernetes
confluent
 
PDF
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
PDF
ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...
Databricks
 
PDF
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
ACME and Let's Encrypt: HTTPS made easy
Gabriell Nascimento
 
Squirreling Away $640 Billion: How Stripe Leverages Flink for Change Data Cap...
Flink Forward
 
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
OAuth2 - Introduction
Knoldus Inc.
 
Deploying Kafka Streams Applications with Docker and Kubernetes
confluent
 
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...
Databricks
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 

What's hot (20)

PPTX
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
PDF
Deploying Privileged Access Workstations (PAWs)
Blue Teamer
 
PDF
Security of DNS
removed_5ef8f4100b1d7e8bfe3d2dc557fe10d0
 
PDF
DNS Security
johnmcclure00
 
PDF
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PPT
Sql injection
Nikunj Dhameliya
 
PPTX
The Current State of Table API in 2022
Flink Forward
 
PDF
Streaming Data from Cassandra into Kafka
Abrar Sheikh
 
PPTX
Securing APIs with Open Policy Agent
Nordic APIs
 
PDF
Ace Up the Sleeve
Will Schroeder
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
PDF
Stream Processing – Concepts and Frameworks
Guido Schmutz
 
PDF
CNIT 40: 2: DNS Protocol and Architecture
Sam Bowne
 
PDF
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
PDF
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
PPTX
MongoDB Atlas
MongoDB
 
PPTX
Near real-time statistical modeling and anomaly detection using Flink!
Flink Forward
 
PDF
What is self-sovereign identity (SSI)?
Evernym
 
PPT
Intro to Web Application Security
Rob Ragan
 
PDF
Layer 7 SecureSpan Solution
CA API Management
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
Deploying Privileged Access Workstations (PAWs)
Blue Teamer
 
Security of DNS
removed_5ef8f4100b1d7e8bfe3d2dc557fe10d0
 
DNS Security
johnmcclure00
 
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Sql injection
Nikunj Dhameliya
 
The Current State of Table API in 2022
Flink Forward
 
Streaming Data from Cassandra into Kafka
Abrar Sheikh
 
Securing APIs with Open Policy Agent
Nordic APIs
 
Ace Up the Sleeve
Will Schroeder
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Stream Processing – Concepts and Frameworks
Guido Schmutz
 
CNIT 40: 2: DNS Protocol and Architecture
Sam Bowne
 
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
MongoDB Atlas
MongoDB
 
Near real-time statistical modeling and anomaly detection using Flink!
Flink Forward
 
What is self-sovereign identity (SSI)?
Evernym
 
Intro to Web Application Security
Rob Ragan
 
Layer 7 SecureSpan Solution
CA API Management
 
Ad

Similar to Lets Encrypt! (20)

PDF
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
 
PDF
320.1-Cryptography
behrad eslamifar
 
PDF
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
PPTX
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
PPTX
Demystfying secure certs
Gary Williams
 
PPT
Securing Network Access with Open Source solutions
Nick Owen
 
PDF
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
PPTX
Let's encrypt
書廷 林
 
PPTX
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB
 
PDF
SSL State of the Union
Sander Temme
 
PPTX
It's a Dangerous World
MongoDB
 
PDF
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
imgautam076
 
PPTX
Automate or die! Rootedcon 2017
Toni de la Fuente
 
PPTX
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
PPTX
Secure socket layer
BU
 
PPTX
Information Security Engineering
Md. Hasan Basri (Angel)
 
PDF
Tech t18
SelectedPresentations
 
PDF
Romulus OWASP
Grupo Gesfor I+D+i
 
PDF
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Masahiro Nagano
 
PDF
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
zznate
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
 
320.1-Cryptography
behrad eslamifar
 
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
Demystfying secure certs
Gary Williams
 
Securing Network Access with Open Source solutions
Nick Owen
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
Let's encrypt
書廷 林
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB
 
SSL State of the Union
Sander Temme
 
It's a Dangerous World
MongoDB
 
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
imgautam076
 
Automate or die! Rootedcon 2017
Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Secure socket layer
BU
 
Information Security Engineering
Md. Hasan Basri (Angel)
 
Tech t18
SelectedPresentations
 
Romulus OWASP
Grupo Gesfor I+D+i
 
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Masahiro Nagano
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
zznate
 
Ad

Recently uploaded (20)

PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
A Presentation on Artificial Intelligence
memembruh336
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Encapsulation theory and applications.pdf
gurumoop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 

Lets Encrypt!

  • 3. SSL certificate orders/renewals so far Generate RSA key Generate CSR Log in to CA's web horrible interface Fill out certificate order form Pay a lot of money Verify domain
  • 4. Let's Encrypt https://letsencrypt.org/ "free, automated, and open certificate authority (CA), run for the public’s benefit" [https://letsencrypt.org/about/] Provided by ISRG - Internet Security Research Group (California based Non-Profit) Sponsored by Mozilla, Akamai, Cisco, EFF, OVH, Facebook, Chrome, etc. Mission: reduce technological & financial barriers to secure internet communication
  • 6. What does it do? Still with Key, CSR, Domain verification, get certificate It's automated It's free
  • 7. How does it work? ● ACME protocol: https://ietf-wg-acme.github.io/acme/ ● Specifies mostly the process of domain verification ● What we need to know: https://letsencrypt.org/how-it-works/ ● Server admin is identified by key pair ● CA issues challenges to authorize key pair, e.g. ○ DNS record ○ File on server
  • 8. Pitfalls User running letsencrypt must have write access to web server root Make sure dot-files are accessible Challenge path: https://my-domain.com/.well-known/acme- challenge/jd1o3ddZXTYbjwUHvRnQOECZToSY-BKxyd6LdFgjvOg server { listen 80; # don't do this location ~ ^/. { deny all; } }
  • 9. Certificates ● Root CA: ISRG Root X1 ● Intermediates: ○ Let’s Encrypt Authority X1 (not widely supported yet) ○ Let’s Encrypt Authority X2 (recovery) ● Cross signed by IdenTrust (DST Root CA X3), widely supported ● Issues certs: https://www.certificate-transparency.org ● Searchable: https://crt.sh/
  • 10. Client Support Yep: Android > 2.3.6 Firefox > 2.0, Firefox OS > 2.2 Windows: IE, Chrome Safari > 4.0, iOS > 3.1 Linux: Debian > 6, Ubuntu > 12.04, CentOS ? Quickly tested: Node.js, PHP Nope: Java as of jdk8u51 (applied for) Older Androids Windows XP Blackberry
  • 11. Rate Limits According to https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769 Domains per certificate: 100 Certificates per domain: 5 certs/domain/week Registrations per IP: 500/3hrs For testing/development: use staging env (--test-cert, --staging) No limits on total number of certificates
  • 12. Integrations Apache installer (haven't tried) Caddy Server Express middleware Fully automated SSL FTW!
  • 13. Why should I use it? Less work - makes you happy It's free - makes your boss/client happy It's encrypted - makes your users safer It's automated - makes DevOps people happy
  • 14. Limitations No love for: Windows XP Java No wildcards Only domain validated! i.e. 🔒https://paypal-service-evil-hackers.net

Editor's Notes

  • #2: TODO: Browser support, wildcards, limitations (only domain validated certs!)
  • #13: Caddy (live demo?: not localhost or IP port not 80 scheme is not http TLS is not turned off Certificates and keys are not provided Caddy able to bind to 80 and 443 Get caddy: https://github.com/mholt/caddy/releases Caddyfile: jhenning.me gzip browse ext .html log ./access.log Start caddy Done!
  • #15: https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394