Comment by general_failure
11 years ago
I don't get why they are releasing a command line, instead of just giving us a cert that we can install by ourselves.
11 years ago
I don't get why they are releasing a command line, instead of just giving us a cert that we can install by ourselves.
Here's the current process:
Generate key, Generate CSR, Send CSR, Receive Certs from CA, Verify ownership, Install certs
Presumably their command line client creates the key, the CSR, sends the CSR, then gets back the certs (at least I'd hope so). I'd be happy to use a vetted command line utility which did that, or even just parts of that process, if I were sure the private key were not transmitted. It's just automating stuff which with current CAs needs to be done manually.
The tool will gather the domains, use the CA API to validate ownership, obtain the certs (which cannot be unilaterally created since they are based on a public/private key pair) and manage their expiry.
That's a bit more then "giving us a cert"
That wouldn't be safe, because then they would have access to your private key and impersonate you. Having you (indirectly via their script) generate the key and submit the public key for signing means your private key never leaves the premises.
There is no reason for the CA to ever see the private key. All they need is a CSR. This approach is fundamentally broken.
It's primarily because of the interactive challenge to prove that you control the domains you're requesting the cert for.
If you want, the client can just give you the cert at the end instead of installing it. In the common case for a user who's not currently comfortable with the process, the client is automating several things -- generating a private key and CSR, proving control of the domain, and installing the key and cert in the server.
It would be really helpful if your how it works page explained in detail how it works, in particular that all browsers are covered, that a key and csr are generated, the certs recd, and that the private key never leaves the server (I'm assuming that at present).
My dream cli tool would just generate key, get certs, and dump them in the dir of my choice. The server config is nice to have but not really essential or the hard part.
Really looking forward to seeing this happen, is there any beta program at present?