Certificate Automation: A Browser Client For Your Consideration


#1

As an Enterprise Linux Professionals project, we created a browser client for Let’s Encrypt. This resource is found at https://certificateautomation.com. Please go have a look and try it out. We are in beta until the 5th of November. (Security guys will understand that reference.)

The purpose of this utility is to make Let’s Encrypt accessible to non-Linux users and the Linux Administrators who do not want to try to explain it so that somebody can get a certificate. It is our hope that this utility will serve as an invitation for anybody to manage their certificates, from the lone web designer to the corporate registrars.

We are adding an additional resource soon that is a development server so that people can test the environment and we can add new features as they become available through Let’s Encrypt which uses the staging server.

If you see any way that we might improve this product, please let us know. Eventually we will charge a management fee based on the number of certificates a customer manages through our dashboard, even if they are not registered through Let’s Encrypt. This should assist people in the transition from other CA’s to Let’s Encrypt. (Details provided on the site.) A large portion of the money generated by this project will be donated to Let’s Encrypt. We are also prepared to provide a generous amount of management vouchers to Let’s Encrypt and The Linux Foundation to distribute or use in any way they wish. (I look forward to discussing those details with the appropriate person.)

A lot of time and work went into this project. This has been in the works for almost a year now. All credit goes to the Enterprise Linux Professionals Security Team for the long hours and expertise that they put into this project.

Sincerely,

Karl Clinger
Chief Executive Officer
Enterprise Linux Professionals


Online Certificate Generator
#2

You might wanna fix you registration page:

The certificateautomation.com page isn’t working

certificateautomation.com is currently unable to handle this request.
HTTP ERROR 500

:stuck_out_tongue:

Also when I try to confirm the e-mail address, same 500 error…

By the way, I’m not sure how your project will actually work… “Browser client”, sure… There are a few already, all with the same problem: nobody but me needs to know the private key! Nobody…!

Also, when I’m running some sort of VPS on some random company with some random variation of Linux, how would a “browser client” install the certificate for me? (As it is advertised as handy for non-technical persons…) Do I need to grant certificateautomation.com root access to my server or something? Which is possible even worse?


#3

No error on our end. What browser are you using?


#4

Chromium 51.0.2704.103.

Nice, now the e-mail confirmation links tries to be smart: “Are you lost?”

Now when I try to register, it just goes to the registration page again when I click “REGISTER”… :confused:


#5

It looks like the Let’s Encrypt blog posts are being mirrored on certificateautomation.com/blog with broken images and no attribution. This seems like it might confuse folks… Is there a reason for mirroring these posts?


#6

Thank you. I see what you see now. This will be fixed shortly.

certificateautomation.com does not get any access to your server. We generate a verification file and then we email you your files.


#7

Beta. We will come up with something more snarky before November 5th. :slight_smile:


#8

On one hand we want to make it very clear that Let’s Encrypt under the hood. We also want to give credit where credit is due, though. I will have this adjusted by tomorrow to better credit the site and allow for our own blog posts.


#9

I’m glad I can help hunt some bugs :smile:

Although I’m not quite sure how your one year project will actually help someone. You’re talking about helping the most incapable nitwits to install TLS. Persons who probably shouldn’t be messing with TLS at all.

I’m sure the project has all the good reasons in mind (making moneyhelping everybody around the globe installing TLS), but I’m not quite convinced it’s really a good thing.


#10

Here are the steps (when it works) :slight_smile: :

  1. A user registers.
  2. A user logs in.
  3. A user enters the domains that will be on the certificate, an administrative email, and the size of the key.
  4. The user receives a verification file that goes under /.well-known/acme-challenge/
  5. The user uses the browser utility to verify the domain and the Subject Alternate Names.
  6. Once the domains are verified the option to get the certificate shows up in the dashboard and an email is sent to the user with the SSL files.

#11

Including the private key? :fearful:


#12

I really appreciate your input, Osiris. As I mentioned in the original post, this should serve your purposes well if you don’t want to deal with the pathetic underlings people who might ask you for help with SSL/TLS.

Something tells me that you might suspect that our intentions are less than noble. We are operating at a significant loss for the resources invested into this effort. We did this without any expectation of making money, but the overwhelming feedback has been that many people will not use this service if it is free of charge. Since we are not selling certificates, but offering a service, we deliberated much about an appropriate price. If you have an opinion about the suggested pricing for this service we welcome the conversation. $7.55 is the most that somebody will pay to create, manage, renew, revoke, etc. as many certificates as they need for a domain (or multiple domains on a certificate) for an entire year. Multiple managed domains drastically reduce that price.


#13

Nah, I’m not that into pricing/economy/business et cetera. :slight_smile: And frankly, I’m not against making money too :stuck_out_tongue:

But the fact the private key is generated server side (at your servers) and not client side in the browser (at least, you’re not correcting me above ;)) is in my opinion (which isn’t holy or something) a very bad thing.

It’s not if I do or don’t believe how noble your intentions are: a private key which is generated server side by some third party is in essence unsafe.

From the current subscriber agreement (1.1.1):

“Key Compromise”— A Private Key is said to be compromised if its value has been disclosed to an
unauthorized person, an unauthorized person has had access to it, or there exists a practical technique by
which an unauthorized person may discover its value. A Private Key is also considered compromised if
methods have been developed that can easily calculate it based on the Public Key or if there is clear
evidence that the specific method used to generate the Private Key was flawed.

One might argue that sending a unencrypted private key (I actually don’t know if it’s encrypted…) per e-mail is enough reason to consider the key compromised: “(…) or there exists a practical technique by which an unauthorized person may discover its value.” MitM on e-mail is quite easy of course and very practical. And sending your private key to a GMail or Outlook e-mail address… Well… Need I say more? :stuck_out_tongue:


#14

Osiris,

The registration is working as it should now.

Thanks for the heads up.

Karl


#15

When the e-mail address is already been used once, there isn’t some sort of error… Just showing the register page again…


#16

Here is how bad this is for business:
We encourage Linux users, like yourself, to use Linux. If you are capable of running the scripts then you should do that. I use Linux as my primary desktop and for everything I can. I am also a Red Hat Certified Architect and always use the command line. (Does that sound like we are trying to make money? :slight_smile: ) This is for non-technical people. We provide detailed installation instructions and email support to help people through the process.

I use the scripts, but if people asked me to help them install Linux and learn enough of it to run the scripts, as easy as it is, I would send them to this site. Then, in 60-90 days when the certificate needs to be renewed, they can log in again and do it themselves.

If there is a more secure way of retrieving the key (perhaps through a secure download or password encrypted link) we will update the system to do the more secure thing. Again, we welcome your expertise and recommendations. Thank you.


#17

Perhaps look into elliptic curve key support too? :stuck_out_tongue:


#18

Does that second register page have a login option?


#19

Nope, just getting back at https://certificateautomation.com/register, no warning/message/registration.

Also, why can’t I add subdomains? There are a lot of people using dynamic DNS services which rely on a subdomain.


#20

I just registered, verified by clicking the link in my email, and after the success message was redirected to the login page. Are there any additional details you can provide that might help me figure out what is happening?