About certificate link, renew, etc


#1

I’m developing my own ACME client with js running in browser. I have managed to reach the stage of new-cert with staging environment. The bellow is the link I suppose I would get my certificate:
https://acme-staging.api.letsencrypt.org/acme/cert/fae10554f4d7bc2a5240a89ea4d1b2c22f8b

I’m new to SSL. It seems any one know the link above would get my certificate, is that secure? No account key is required here.
Other questions:

  1. How long will the above link be valid? Should I keep the link instead of the file for certificate storage?
  2. Does the staging certificate work also when my server actually load it?
  3. How could I test renew process with staging env?

Thanks,


#2

The immediate thought that comes to mind is, if you are completely new to SSL etc, why are you developing your own ACME client - there are many good ones out there - see https://letsencrypt.org/docs/client-options/

In terms of developing your own though, you at least want to read the ACME spec - https://tools.ietf.org/html/draft-ietf-acme-acme-03

Yes, that’s perfectly secure. You can download certificates for virtually all sites ( google, cnn etc ) there is no risk as you need your private domain key with it to use it on your domain.

You should download the certificate, save it in a file ( in the correct format ), and use it from there.

Yes. The only difference is you will get a warning in your browser that it isn’t “trusted”

I’m not sure what specific information you are after here. You should renew the certificate, using your client, in exactly the same way as you will want it to work with the live system.


#3

Thanks for the quick reply.
I got it now, the certificate only contains pub key, so no secure problem.
However is the certificate link will exist as long as the certificate is valid, 90 days?
There isn’t much info about renew, should it just skip new-reg, but go through new-auth, challeges, new-cert again?
What about the gap when I got the new certifcate, but have not update to the web server? Will the old one still be valid before its expired date?
I developing my own ACME client is for both learning and better integrity. Basing on the excellent work of https://gethttpsforfree.com/, it isn’t a big job.

Thanks


#4

No, hence why I said you needed to copy the cert and save it as a file. Equally your server can’t use the cert from there, you need to save and convert it into the correct format.

Basically, yes.

The certificate is valid for 90 days, so if you obtain a new cert after 60 days, then both will still be valid, and you can simply change the config to use the new cert.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.