Certificate Renew protocol
920 views
Skip to first unread message
Kaiduan Xie
Feb 15, 2016, 10:00:52 AM2/15/16
to Let's Encrypt Client Development, Let's Encrypt CA Development
Hi all,
What is the protocol/procedure used under the hood to renew a Letsencrypt certificate? I obtained an Letsencrypt certificate on Dec of 2015 with my own client (not the Python client provided by Letsencrypt), the certificate is going to expire soon.Unfortunately the IETF draft https://tools.ietf.org/html/draft-barnes-acme-04 does not explain the renew procedure and protocol.
Now the following informations are available after obtaining a Letsencrypt certificate.
1. Account RSA key pair
2. RSA key pair for Letsencrypt issued certificate
3. CSR for Letsencrypt issued certificate
4. Letsencrypt issued certificate
5. URL for Letsencrypt issued certificate
6. Domain name
Can someone elaborate the renew protocol in details? How the above informations are used to renew a certificate?
Can someone elaborate the renew protocol in details? How the above informations are used to renew a certificate?
Thanks a lot for the help,
/Kaiduan
Daniel Roesler
Feb 15, 2016, 12:26:36 PM2/15/16
to Kaiduan Xie, Let's Encrypt Client Development, Let's Encrypt CA Development
For acme-tiny, we just run the same procedure as getting a new
certificate. You can even use the same CSR as before.
POST /acme/new-authz (request new challenges for the domain)
POST /path/to/challenge (notify of challenges met)
GET /path/to/challenge (wait for the challenge to turn valid)
...repeat as needed for multiple domains
POST /acme/new-cert (get a signed cert)
Daniel
> --
> You received this message because you are subscribed to the Google Groups
> "Let's Encrypt Client Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to client-dev+...@letsencrypt.org.
> To post to this group, send email to clien...@letsencrypt.org.
> To view this discussion on the web visit
> https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CACKRbQfxRDCb2Q_et5%3D2%2ByH5KS2wnobO5BOViz1PE%3Dynky6POg%40mail.gmail.com.
certificate. You can even use the same CSR as before.
POST /acme/new-authz (request new challenges for the domain)
POST /path/to/challenge (notify of challenges met)
GET /path/to/challenge (wait for the challenge to turn valid)
...repeat as needed for multiple domains
POST /acme/new-cert (get a signed cert)
Daniel
> You received this message because you are subscribed to the Google Groups
> "Let's Encrypt Client Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to client-dev+...@letsencrypt.org.
> To post to this group, send email to clien...@letsencrypt.org.
> To view this discussion on the web visit
> https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CACKRbQfxRDCb2Q_et5%3D2%2ByH5KS2wnobO5BOViz1PE%3Dynky6POg%40mail.gmail.com.
Kaiduan Xie
Feb 15, 2016, 12:35:59 PM2/15/16
to Daniel Roesler, Let's Encrypt Client Development, Let's Encrypt CA Development
Thanks a lot Daniel for the detailed explanation.
One question, how you get the replay-nonce for POST /acme/new-authz?Daniel Roesler
Feb 15, 2016, 12:59:37 PM2/15/16
to Kaiduan Xie, Let's Encrypt Client Development, Let's Encrypt CA Development
For the first nonce, we usually get it via GET /directory, which also
returns the urls that you need for the others (if you don't hardcode
them).
returns the urls that you need for the others (if you don't hardcode
them).
Kaiduan Xie
Feb 15, 2016, 1:06:10 PM2/15/16
to Daniel Roesler, Let's Encrypt Client Development, Let's Encrypt CA Development
Great!
Deeply appreciated Daniel.
/KaiduanReply all
Reply to author
Forward
0 new messages