How to get certificate of certification authority?

I haven’t got any domain

My operating system is (include version): Ubuntu 14.04 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Good morning everyone, I have a question :

  • What is needed on client part for HTTPS connection is public key of the server AND certification authority’s certificate (or public key ?) to trust this CA which has provided keys. With web browser, such CA certificates are embedded natively. But how to get these certificates programmatically ?
    Example : I want to use a program a Linux System which will have to communicate with a server securely. I will have Server public key (added at installation) but how to get the CA certificate which has generated the keys ? In order to trust but also in order to have CA certificate validity and get new CA certificate when the current cert will be outdated ?

Thank you

I’m not sure I understand the question fully.

Do you want to specifically obtain the CA for Let’s Encrypt ( see https://letsencrypt.org/certificates/ )

or do you want to add those to a specific program / application so that it trusts Let’s Encrypt certs ? if so, what is that specific application, because the exact method usually depends on the program in question.

Thank you for your answer. Hum, both I guess : [quote=“serverco, post:2, topic:22029”]
obtain the CA for Let’s Encrypt ( see https://letsencrypt.org/certificates/ )
[/quote]
but programmatically in order to trust on client part certificates generated with Lets Encrypt.
This is the following process :

  • on server part, a certificate, and public/private key are generated with LetsEncrypt
  • on client part, client get the server certificate
  • in order to know to trust the certificate or not, client part (application ? ) need to obtain certificate of Lets Encrypt and so get it automatically because when LetsEncrypt certificate will expire, we need to know that in order to get the new LetsEncrypt certificate on client part

And so I guess from your post that there is an operation to “install” the CA certificate ? I mean on Firefox for example, CA certificates are installed (Advance panel -> certificates tab) and this is how Firefox know how to trust or not certificates. That’s what I understand : in order to identify a certificate on a client part, you need necessarily he CA certificates which has provided the server certificate no ?

Thank you again for your time.

The CA is already “trusted” in many systems by default - see https://letsencrypt.org/docs/certificate-compatibility/

Hence my question " do you want to add those to a specific program / application so that it trusts Let’s Encrypt certs ? if so, what is that specific application"

Ah ok, it would be for a simple application on a UNIX plateform (CentOS probably) which has to establish HTTPS connection with server in order users on client part can browse in HTTPS. So if CA is automatically trusted (by users web browsers) and can recognize certificates, no I wouldn’t need to add it to application for this part but what about refreshing LetsEncrypt CA certificate ?
But, I don’t want to do this by web browser, I want my system manage all of this :

  • I want my application obtain ca.crt, servercert.crt
  • I want my application obtain again ca.crt when previous has expired
    So I what to do what a web browser do so I guess answer to your question is yes finally but I don’t know how to do.
  • On server part, Apache virtualhosts are configured in order to like this :
    <VirtualHost ...> SSLEngine on SSLCertificateFile servercert.crt SSLCertificateKeyFile serverkey.key SSLCertificateChainFile aChainOrFullchainDependingOnApacheVersion.crt </VirtualHost>

There are 3 “certificates” here.

  1. is the “servercert.crt” in your above example - this is the domain certificate
  2. is the “aChainOrFullchainDependingOnApacheVersion.crt” which is the intermediate or chain file
  3. is the root CA certificate.

See also https://letsencrypt.org/certificates/

The intermediate certificate ( which is placed in the apache config) is obtained at the same time as you obtain the domain certificate. i.e via certbot if you are using that client.

There is a set of the public keys for certs your centos will trust in /etc/ssl/certs/ca-bundle.crt ( typically) which enables it to trust the root cert ( on a server) and most applications would utilise this. Your web browser, other application on your PC will have a similar set of public keys for root certs it will trust.

I’m a little concerned that you don’t understand the basics yet you want to change things that you don’t appear to understand.

I’ve also asked every time, but you never answer “what is that specific application?”. Without that I can not help.

To try to answer what I suspect the original poster is asking, right now in order to accept an end-entity certificate issued by Let’s Encrypt, your browser or other client would have to be aware of three certificates. Looking at the case for this very site, there would be

The end-entity (leaf) certificate for the subject DNS name “community.letsencrypt.org”, issued by “Let’s Encrypt Authority X3” - this expires Mon 23 Jan 2017 05:20:00

The intermediate certificate for the subject “Let’s Encrypt Authority X3”, issued by “DST Root CA X3” - this expires Wed 17 Mar 2021 16:40:46 although it’s quite likely to cease being used much sooner than that

The root certificate for the subject “DST Root CA X3”, issued by “DST Root CA X3” (the issuer and subject are the same because root certificates are self-signed) - this expires Thu 30 Sep 2021 02:01:15

In terms of what will happen when each certificate expires or stops being used in anticipation of its expiry:

For the end-entity certificate, the TLS server will need to obtain a new (renewed) end-entity certificate and start serving that. Software like Certbot can make this change automatically.

For the intermediate certificate, the Let’s Encrypt CA will need to obtain a new intermediate certificate and start using it to issue end-entity certificates. The individual sites’ servers will also need to start serving this new intermediate as part of their certificate chains. Software like Certbot can also make this change automatically because the certificate chain is provided to the entity obtaining the cert as part of the ACME protocol. Certbot would receive the new associated intermediate from ACME upon some future renewal and would update chain.pem and fullchain.pem to include it.

For the root certificate, this is built into the browser and/or OS and would need to be supplemented by a new version of that root in a future browser or OS software release, in accordance with the software developer’s root program policies and software update practices. If a particular client isn’t updated by the end of September 2021, it will stop being able to accept and validate Let’s Encrypt certificates or any other certificates issued under IdenTrust’s DST Root.

Normally the first two changes are handled by the TLS server (again, software like Certbot can do this automatically upon renewal), while the third change is handled by browser or OS vendors and needs to be handled by users somehow updating their software or replacing old devices with newer ones that include newer software and updated root CAs.

2 Likes

Thanks - my understanding of the question was different ( and probably wrong) … my understanding was “How do I add these certs into my application, so it is trusted”

In that interpretation, I'd agree that the answer is probably "you most likely don't need to, but if you discover that you do for some reason, they can be found at Chain of Trust - Let's Encrypt and you might need to add new items from that page every few years on a schedule that's hard to predict in advance".

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.