startssl also does a simple http validation by sending an email to the domain. Then the startssl website uses a browser feature/function to generate the certificate at the client site.
The big benefit is that a certificate can be issued OS independent. This would be very nice for LE also. e.g. I’d like to get a cert for a Windows IIS not for an apache.
startssl also does a simple http validation by sending an email to the domain. Then the startssl website uses a browser feature/function to generate the certificate at the client site.
The big benefit is that a certificate can be issued OS independent. This would be very nice for LE also. e.g. I’d like to get a cert for a Windows IIS not for an apache.
Automation is a significant goal of the project though. Involving email verifications would not be conducive with automation.
You should be able to use the LE certificate on any OS Web server combination. The certificate does not have to be generated by / on the server it will be used on.
Think there is a topic thread in here someplace discussing IIS. Try a search to see if you can find it and if it addresses any questions for your use case.
There should be a PowerShell version until launch, so the LE client will be platform independent.
E-Mails are not that good to automate for most users, so it's not really an option, at least not as long as the certificates are shortlived (90 days).
StartSSL generates two certificates, one for client authentication and another one for use with your web server, none of them is generated in the browser, they're generated on their servers.
LE will try to support every OS, but even if not, you can still get a certificate with the manual mode if your system is not supported.
Automation is a significant goal of the project though. Involving email verifications would not be conducive with automation.
No, it would be just an additional/optional validation option. The LE client can still use the http validation mechanism for automatic generation. But if I'd like to get a cert without the tool I can switch to the mail validation.
The certificate does not have to be generated by / on the server it will be used on.
At least you need (to setup) a supported OS to run the LE client. Then the webserver has to be reachable by public .
In some cases it's easier and more secure to have an public mail server then a public Webserver. The certificate could also be used for non webservice services. e.g. for a net tcp windows client.
startssl solves all this "problems" with the in-browser generation. startssl is also a well known CA and accepted by any common browser/os.
StartSSL generates two certificates, one for client authentication and another one for use with your web server, none of them is generated in the browser, they're generated on their servers.
This couldn't be completely true. I used the service some weeks ago using my chrome browser. (For a mail certificate. But I think this shouldn't make a big difference)
The StartSSL website generates the certificate in my browsers certificate store. I don't think that a website is allowed to add a foreign cert to that store. There is also only one cert (the one in my browser store) It's used for identification, but it's also signed for the mail address so I can just export and use it.
Any web server can deliver the payload, it’s just a simple JSON payload with a special content-type header, there’s no need for it being the LE client or a LE configured web server.
You need additonal knowledge for that, The browser solution will work for everyone out of the box.
And it seems pretty easy for LE to implement such a solution.
The user can create a account(password login is fine) at letsencrypt.org add and validate his domain (with a method he’d like to use) and generate a cert.
Everything is explained step by step by the LE client in manual mode, you don't need any knowledge for it.
Stop talking about a browser solution, it's an email based validation, it doesn't have anything to do with browsers. The manual mode of the LE client could be a website as well.
Additionally, it will only work as long as you have setup a mail server, not everybody has this.
Keys and tokens are a lot more secure.
You don't have to repeat that link. As far as I can see it's about client side certificates, not server side certificates. LE doesn't have any plans to support client certificates (yet). Additonally, private keys shouldn't ever leave the server they're generated on except for encrypted backups, so it doesn't make sense to generate them in your browser.
Especially if you don't need HTTPS, just use the LE client in standalone mode to obtain a certificate, it's really easy and straight forward and does't require a mail server nor any knowledge.
Stop talking about a browser solution, it's an email based validation, it doesn't have anything to do with browsers.
You are mixing every thing around. A in-browser solution has nothing todo with the mechanism of validation. In an in-browser solution you can use http verification as well. Or you can use mail verification in the LE client tool....
Both things are completly independent.
Keys and tokens are a lot more secure.
If you have a well working brute force protection and a password policy the anser is simple no. Safety is equal.
You don't have to repeat that link. As far as I can see it's about client side certificates, not server side certificates.
No it's about "How to generate a certificate in the browser". Maybe you can't use the code without any modifications, but if you are able to setup a project like LE it shouldn't be a problem to adopt the solution. If you don't belive me that this is possible: request a free certificate from startssl.com They use this....