Certificate Automation: A Browser Client For Your Consideration

I just made an assignment for one of our security experts to brief the rest of the team on elliptic curve key support as a possible solution to increase security. Thank you for the suggestion.

After trying to register with a certain e-mail address (i.e., you recieved a verification e-mail), try to register again with the same e-mail address: itā€™s not working. Also not for already, verified, e-mail addresses. No ā€œthis e-mail address is already in useā€. (Which might be on purpose for privacy reasons.)

Also, when hacking a subdomain in the verification process, Iā€™m getting a ā€œWhoops, looks like something went wrong.ā€ :stuck_out_tongue: (at https://certificateautomation.com/verify).

Also, your domain verify entry form doesnā€™t require me to enter a key size: it just blindely accepts the ā€œChoose a key sizeā€ text.

And even when I enter all the info properly (a [random] domain name, an [correct] e-mail address, a key size) Iā€™m not getting the verification file in my inbox? It just doesnā€™t send any, even when I hit ā€œResendā€?

So, what is the ā€œautomationā€ part exactly? Do I get to enter everything by hand every 3 months, muck around with verification files manually, have my private keys compromised by default and on top of that, I get to pay for it?

Looks like a useless project that tries to freeload off of LE.

Let's try to keep our language respectful please and thank you!

If you do not specify a size it defaults to 2048.

There will be a message notifying users if an email address has already been used very soon.

As far as your hacking is concerned, we may have overlooked some simple items because we were focused on preventing potential threats, as you learned by going to the verify link.

Check your junk mail. Everybodyā€™s rules are different. I imagine that yours are more strict than most. :slight_smile:

I'm also not sure what "Subject Alternative Names are automatically detected and will be verified with the primary domain" means.. What does it auto-detect? Also my "login.example.com", my "mail.example.com" or "private.example.com"?

Because I can't manually enter subdomains I'm reading. But what if I do want subdomains which aren't that easily guessed? Or does it brute force my (wild card) domain? :stuck_out_tongue:

I did, nothing there. Checked the Postfix logs too, only the registration e-mail. Does it verify something of the domain name first too? Because I don't have a spare domain name without my personal name lying around, so I can only test with example.com domains.

Any A records associated with the same address. www.domain.com and any others that you specify through DNS.

But how will your system know of private.example.com? You have to actively know and query the A recordā€¦ Because itā€™s not ā€˜advertisedā€™ in any way?

Also, letā€™s not forget about AAAA records pleaseā€¦ IPv6 already 18 years old. Anyone (professionally) ignoring IPv6 should be ashamed of itself.

The automation is that anybody who has a browser, but does not have Linux, can perform the same steps and obtain a certificate through completing the forms provided in the browser client and clicking the links in the emails. A dashboard for managing domains allows users to create, renew, and revoke certificates without relying on somebody else to take their .csr and convert it to a .crt (or .pem) file.

Renewals do require that the data is entered every three months and you do need to verify every time you renew.

Compromising keys is not a service that we provide. We only charge for the management of certificates within our easy to use dashboard.

ā€œTo understand the concept, you should think of ā€œfreeā€ as in ā€œfree speech,ā€ not as in ā€œfree beerā€.ā€ -Richard Stallman https://www.gnu.org/philosophy/free-sw.en.html

The fact you're generating the private key server side already makes it compromised :wink: Although perhaps some less security concerend people might want to argue about that.

The fact TLS is all about TRUST makes it very difficult to genuinely believe some company on their blue eyes..

I, for one, am totally convinced that this is legit. After all, http://www.enterpriselinux.pro/ is hosted on wix.com and sounds completely non-shady. Also:

"We may terminate or suspend access to our Service immediately, without prior notice or liability, for any reason whatsoever"

Yes, please throw money in that direction, everyone!

Are you sure you understand the meaning of the word "automation"?

My eyes are brown, but I know what you mean. You seem like somebody I would want to invite to a key signing party. :slight_smile:

I have preached and understand the triangle of security, convenience, and cost. It is a simple thing to deem something to be insecure, but the real challenge is to take something that hasnā€™t been done and to make it happen. I am convinced that in the next 60 days we will have a more secure platform for generating certificates than anything presently available.

TCM: We use wix because web design is not our primary business. This was something that I assigned to a trusted colleague and it meets all of our business needs. You are not the only one to criticize us for that, though. You are in good company because Richard Stallman also pointed that out to me.

The verbiage in the service agreement is being reviewed and will be updated in October. This is a beta release for people like you to do your worst so that we can make legitimate improvements, like the ones that others are pointing out.

There are a few people who would vouch for my understanding of automation. Many of them have received Continuous Integration and Continuous Delivery training that I wrote and delivered. Others benefit from my consulting services, which include containerization, orchestration, and automation.

What you may not realize is that the world is not looking at this site through your eyes. Most people have negative experiences with getting a certificate for their hosting. (Keep in mind that these are people with an expertise that is different from yours.) There are a lot of self-motivated people who want to do things on their own to save time and money who have struggled with the technical details of generating a .csr file so that their chosen CA can send them their signed certificates. If something was wrong then the user would have to repeat the process and probably pay for the service again, making the original certificate worthless.

We have tried to anticipate these issues so that people have a resource to do everything on their own without having to rely on somebody like you who might try to make them feel insufficient for their own inadequacies and social deficiencies (like attacking somebody you donā€™t know in a public forum).

Since you would not use this site, and this service is presumably outside of your budget anyways, your contributions can only be considered trolling. I can offer you our sound reasoning for what we have done and the decisions that we have collectively made, but there doesnā€™t seem to be much point in doing that, so I may not respond to irrelevant posts anymore.

ā€œWhether you think you can, or you think you canā€™tā€“youā€™re right.ā€
ā€• Henry Ford

We use an openssl command in the scripts to detect the SANs. I have tested this with several domains and it has always found all of the SANs for the domains.

We are very excited about an upcoming feature that will allow advanced users to pass command line arguments when creating the certificate. This should bring the capabilities of this environment closer to what the command line can do.

Another feature on the back burner is the option of generating a ā€œrangeā€ of certificates for IPv6 assigned to a specified number of containers. As more organizations adopt containers it is beneficial to create a way for them to securely communicate.

I was shocked to learn how many people were running IPv6 with only a set of IPv4 firewall rules. When somebody objected and said that nobody could ever guess their IPv6 address I ran a dig command and showed him his IPv6 address in about 5 seconds. I am so glad that Letā€™s Encrypt can make IPv6 certificates now.

As the CEO of ā€œEnterprise Linux Professionalsā€, you can surely explain what an ā€œIPv6 certificateā€ is. Iā€™m curious.

It is technically possible to list an IPv6 address as a SAN in an X.509 certificate, and thus have it be the de facto subject under the BRs.

Letā€™s Encrypt doesnā€™t issue such things but they are a legitimate if rare part of the Web PKI

TCM: Even though you are a known troll the answer to your question may be beneficial to others, so I will answer it. To answer this question I will change roles for a moment and put on my junior administrator hat.

In common networking, TCP/IP, standards there are two divisions of addresses. The most commonly used is IPv4, which has the format of ###.###.###.###. The other is IPv6, which has a much more complex address and has exponentially more combinations. Simply put, an ā€œIPv6 certificateā€ is one that does not use IPv4. Until recently, servers running only IPv6 addresses were not able to use Letā€™s Encrypt for certain things, but that has all been updated as of July, 2016.

So it probably only works for existing certificates? When my server is HTTPS naieve, OpenSSL will not be able to do anything with it. So how would it detect a HTTP-only private.example.com?

Well, that's a rather strange way of putting it IMHO. The fact the validation server works with IPv6 doesn't change the issued certificate: it's exactly the same as a certificate which was validated through IPv4.

The certificate would be the same, but the ā€œletsencryptā€ script was not capable of doing things that it can do now. My comment to you was speaking to these new capabilities, not the certificate itself. TCM (the troll) asked me a generic question about what an IPv6 certificate was, so that answer was specifically for him.

Iā€™m getting a broken page when I try and access the site. This is on the CDN resources but to be honest I am coming from a business network so it can be weird.

A service which handles private keys will have to face questions of business continuity and security. There is a huge level of trust that you are wanting from your clients.

Your professional image is important and I believe that you should perhaps work on that before launching. I get that you are in Beta but skimming through the site I can see numerous spelling mistakes in the terms of service and in my opinion not enough information on what you are actually going to do for your clients. Also little things like your subscriber agreement being the Letā€™s Encrypt one.

I can see you have taken some push back in this thread but that is to be expected when you are launching a service such as this and when you are such a young organisation (company?). Take on board what has been said and work on it and you may end up with a good service.