CSR generation by Lets encrypt?


#1

With IT being a side-job in our company a lot of SSL knowledge isn’t around.
(Teach the monkey a trick and for the hard stuff we hire 3rd parties)

I’m looking into Lets Encrypt as an alternative for my current GlobalSign certificates.
GlobalSign gives my the option to have them generate the private-key / CSR for me.

Does Lets Encrypt also allow me to “just” define my company name and CN for the certificate after being vetted, and afterwards generate the CSR for me and effectively push the certificate and key-pair in a secure way to the Lets Encrypt client for it to install it on the server?


How to get a certificate?
#2

No! :cold_sweat:
You should never give your private key away or “let it generate” it by somebody else (on somebody’s else hardware).

Let’s Encrypt does this in another way: It generates the private key on your own machine and this key never leaves your machine.
So:

At first: The LE client runs on your server. So you don’t have to push your certificate anywhere.
As for getting a certificate you don’t even have to do what you think about: You don’t have to enter your company name anywhere. The only thing you have to do is execute a small Phyton script on your command line, select the domain you want to be secured and the LE client will automatically get the certificate for you and configurer the server.

I’d recommend looking at this video. There you can exactly see how it works:

Related: How to get a certificate?


#3

@Bravens1970, depending on your server configuration the Let’s Encrypt client may end up being very easy and automatic for you – but at the outset that depends quite a lot on how similar your server configuration is to those that we’ve been developing with. If it’s very similar, it should be extremely easy; if not, it might be somewhat complex for the time being until we improve the software support in our client software.

(No matter what, it should be as fast to issue as the fastest existing CAs and as cheap as the cheapest existing CAs, but the ease of integration with your system may vary!)

I agree with @rugk that it isn’t a good security practice to have someone else generate your private keys on their computer.


#4

Just so you are aware GlobalSign generate a CSR using a PKCS#12 file. Passwords are generated by a machine and sent very securely to customers. No private keys are ever stored on our servers :slight_smile:
You can find out more here: https://www.globalsign.com/en/blog/what-is-a-pkcs12-file/


#5

I appreciate the precautions that you take, but I don’t think private key generation by a CA is a security best practice.


#6

"Often we are asked about the level of security when generating a CSR for our customers. As we generate the private key ourselves, we have to be extra careful in order to make sure it remains secure. To do this GlobalSign follows strict procedures and guidelines. The key pair is generated using random numbers depending on a number of factors. FIPS 140 Level 3 cryptographic hardware is utilized to generate your key pair and certificate request. Lastly, to secure the .pfx file in transit, GlobalSign uses a high protection password up to 50 characters in length, our system appends another eight random characters.

It is also worth noting that GlobalSign never stores the private keys of our customers on our own servers. Once your private key is sent, you then have complete access. "

Other CA’s also do this in similar ways. I understand your concern and of course if you are concerned you are welcome to egenrate your own CSR. This service is provided as a means to speed up issuance and improve customer satisfaction :slight_smile:


#7

I’m not quite sure that offloading key and CSR generation to a third-party is the best idea to be honest, though depending on your level of trust in that third-party and how the data breach on their side (if it happens) might affect your business, you might still try that out of course.

Generating the key and the CSR on your side automatically is quite possible though and it does not really require any specific IT knowledge.

If you don’t mind using Perl client, you can try installing Crypt::LE and run it like this:

le.pl --key account.key --csr domain.csr --csr-key domain.key --crt domain.crt --domains “www.domain.ext,domain.ext” --generate-missing --live

That will:

  • Generate an account key for you (RSA 4096 bit) and save it into ‘account.key’ (keep that secure!)

  • Generate a key and CSR and save them into ‘domain.key’ and ‘domain.csr’

  • Get the certificate for you and save it into ‘domain.crt’ (merged with issuer’s, so it should work fine for both Nginx and modern Apache)

NB: –live option makes the script run against the live server. Drop it to test the process against the staging.

If you add –generate-only, then it will just generate and save an account.key (if it does not exist yet) and domain.key + domain.csr, so you could then just use those for whatever you like, not necessarily for getting Let’s Encrypt certificates specifically.