Help!how do i login using the private key?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.testmysites.co.uk

I ran this command:

It produced this output:

My web server is (include version):
nginx
The operating system my web server runs on is (include version):
ubuntu 18.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
dont know

i have successuly got the security running on the webserver. The s secure sysmbol is showing. No problems here. I have backed up the folder “letsencrypt” so that is in a safe place.
However how do i associate the private key to a web browser when i want to access the secure server? thanks in advance.

Michael D Falconer

1 Like

Can you elaborate on why you want to do this? You can already access your site over HTTPS without doing anything extra, right?

With the usual way that SSL certificates are setup, you don’t need to do anything extra on the browser side.

The authentication for most HTTPS sites only works one way - the server provides a proof to the browser about its identity, but not the other way around.

There is also a fairly exotic scenario called “mutual authentication”, where the browser proves its identity to the server as well - using a client certificate and private key. There are pretty much no sites on the public internet which use this - it’s largely an internal/enterprise thing.

Are you using client certificates? If not, the answer to your question is that you don’t need to do anything.

1 Like

ok thanks i thought the client had to present the private key to the server for two way secure authentication…

1 Like

The Let’s Encrypt service isn’t used for client side authentication, because it only issues certificates for hostnames.

If you really need client side authentication, it’s probably best to set up your own certificate authority for this.

1 Like

One thing that I’ve tended to forget is that Let’s Encrypt certificates do include the Client Authentication EKU, so they technically could be used for client authentication. But I agree that Let’s Encrypt certificates aren’t very suitable for this application for the reason that you mentioned—because the subject of the certificate is always a hostname (not a person or account).

What if an organization decides to make one to one mapping between accounts and domains, for example: user.peoples.example.org, in you case schoen.staff.eff.org ?

Yes, in principle the organization could use Let’s Encrypt certificates that way. It’s not clear that using publicly-trusted certificates would be a benefit, though.

  • the certificates would have to be publicly logged
  • the certificates would have to have a 90-day duration
  • the organization would have to complete some kind of ACME challenge for each certificate
  • someone who managed to misissue a certificate inside the domain could potentially abuse it for client authentication

If the organization made its own internal CA for this purpose, none of these limitations or risks would have to apply.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.