SSLForFree w/ my CSR

Doing these steps:

  1. Generate my own Private Key, Public Key and CSR using cPanel
  2. Process the SSLForFree text files and the tests are ok
  3. Pass only my CSR to SSLForFree, retrieve the SSL Cert.
  4. Install the cert in cPanel.

I have not given SSLFF my Private or Public key.
I have not used SSLFF’s generated keys, only the SSL Cert.
Is this a secure way to use SSLFF?

My domain is:
LicenseManager.us
I ran this command:
n/a
It produced this output:
n/a
My web server is (include version):
Apache
The operating system my web server runs on is (include version):
Webhost
My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don’t know):
I think so.
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel w/o link to LetsEncrypt

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): not using Certbot

1 Like

No, you can’t. If you could, you wouldn’t need to (and shouldn’t be) messing around with sslforfree.com.

You know that they don’t have your private key, so what is your concern?

People have been telling me not to use SSLFF, as there’s a potentially dangerous ‘man-in-the-middle.’ In the past I used the Private Key they generated. I understand why that’s a mistake.

I am not in a position to automate this process yet, so I just want a definitive yes or no, is it save to use the process I described? That is, if all I give them is a CSR, and if all I take from them is the Certificate, is it safe? Have I avoided the man in the middle?

1 Like

Yes. A CSR does not contain secure information such as the private key. Only public stuff.

Yes, as long as you are the only person who handles the private key generated by your cPanel, you’re safe.

1 Like

They may not have the private key of the certificate but they may control the (temporary) ACME account they need to create, so they can generate new certificates up to 30 days. Web browser based ACME clients

2 Likes

@tdelmas Luckily every Let’s Encrypt certificate is embedded in multiple certificate transparency logs.

2 Likes

Tom,

Thanks for your response.

I have been at that link all day trying to generate a public key.

I don’t quite get it.

I see the command line syntax, but I don’t understand how to make it work.

Where do I run the ‘openssl’ command? Windows doesn’t know anything
about it. The ‘account.key’ portion of the command, is that a disk file
containing the downloaded private key?

Peter

1 Like

Ok!

I got openssl working.

Now to figure out the account key.

2 Likes

am at gethttpsforfree.com.

Step 3 is not working.

The instructions say to copy and paste the commend into your terminal.

Openssl is not happy with this, responding that PRIV_KEY is not a valid
command.

Have been reading other posts about this, and am making no progress.

I do not know how to proceed.
Please help.

1 Like

The instructions on gethttpsforfree are assuming that you’re running these commands in a terminal on a Unix system. The commands need to be modified for Windows.

For example, where it says $PRIV_KEY, this is a Unix shell notation that substitutes the value of a variable. It doesn’t work in the Windows command interpreter. Instead, you would need to substitute the value of the variable.

Apart from the limitations of the web-based client itself, I think you are probably not part of the intended audience for the service because the author of the site says that it’s meant to be used by people who are already familiar with using OpenSSL on the command line. The gethttpsforfree service is really not a convenient substitute for a paid certificate authority’s web-based interaction.

2 Likes

Seth,

Thanks for sharing your insight.

Since there is a Windows version of OpenSSL, there must exist
instructions for making it work.

I’ll see what I can find out.

Thanks again.

Peter

1 Like

Oh, I’m sure you can use SSLForFree with OpenSSL on Windows. It’s just that the SSLForFree instructions use notation like $PRIV_KEY — that’s not an OpenSSL issue, it’s a command-line environment issue. OpenSSL never sees the $PRIV_KEY on Unix because the shell substitutes the value before running OpenSSL at all. So what you need in order to adapt these instructions is less OpenSSL documentation and more knowledge of the environment for which the SSLForFree instructions were written.

1 Like

Seth,

If I use SSLFF, and simply give them the CSR, that’s sufficient for my
purposes.

I can transfer the test files, test them, then take the cert from them
and install it. That all works fine.

I was interested in OpenSSL, as someone pointed out that SSLFF could use
my CSR to make more keys, and somehow create mischief.

Is that last part a real concern?

Thanks for continuing the dialog, I sure appreciate it.

Peter

1 Like

A CSR can’t be used to make new keys, so I don’t think this is an issue. Even if SSLForFree could make new certificates that you didn’t intend, if it never had the private key that corresponds to those certificates, it couldn’t use those certificates in an attack.

1 Like

Thank you for taking the time to explain this.

I know I’ve read it all before, but somewhere along this thread,
somebody introduced a bad idea, and got me on the wrong track.

That’s now put to rest.

We can let this discussion end.

I’m satisfied.

Thank you very much.

Peter

1 Like

…but as @tdelmas notes above, they control the ACME account that was used to validate that domain. Having successfully validated that domain, that ACME account can issue other certs for that domain using self-generated private keys, and it could use those in an attack. But that risk isn’t unique to SSLForFree; if I’m understanding it correctly, it exists with any third-party client (and particularly with any of the web-based clients).

2 Likes

I’m sorry I think I disagree, if they don’t have the private key of their certificate but have generated a new valid certificate, they can do an active man in the middle. Of course, they still need to be in a “good” position in the network for that, and it will be detected with certificate transparency. So the risk is low (because if anyone claimed that a web browser based did do that they will loose their reputation).

Or am I missing something?

1 Like

I provided SSLFF only with the CSR.

I did not give them a private or public key.

I did not use any private key, public key, or bundle they may have
generated.

It would be best to use LE directly, but at this moment I am not set up
to use an automatic software-only interface.

Is there some safe way for me to use LE directly using keys I can
generate from cPanel, and Windows software?

My host (westhost.com) does not offer the LE interface in cPanel.

1 Like

Oh yeah, you’re still relying on them to have access to the account key and they can make certificates with a different CSR by reusing the validations. Thanks to you and @danb35 for this point.

@PeterPetropoulos, I wasn’t thinking all of the details through when I said that there was no additional risk in this case. I agree that the risk is pretty low.

2 Likes