diff options
author | Andrew Cady <d@jerkface.net> | 2016-01-26 14:12:13 -0500 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2016-01-26 14:22:16 -0500 |
commit | 64e8a8ef7833fb7a9325372c09bcb9a682e1ed30 (patch) | |
tree | 275bd316cf63d4406714b332234e7b27480b6342 /README.md | |
parent | 7373a3ede2216048d2766f8f27e77d014b82dc43 (diff) |
Pre-generate DH params
The program now outputs a combined PEM certificate.
A new option allows DH-param generation to be disabled.
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 52 |
1 files changed, 32 insertions, 20 deletions
@@ -1,31 +1,35 @@ | |||
1 | # Let's Encrypt ACME protocol | 1 | # `acme-certify` -- A `Let's Encrypt!` ACME client |
2 | 2 | ||
3 | ``` | 3 | ``` |
4 | Let's Encrypt! ACME client | 4 | Let's Encrypt! ACME client |
5 | 5 | ||
6 | Usage: acme-certify --key FILE --domain DOMAIN --challenge-dir DIR | 6 | Usage: acme-certify --key FILE --domain DOMAIN --challenge-dir DIR |
7 | [--domain-dir DIR] [--email ADDRESS] [--terms URL] | 7 | [--domain-dir DIR] [--email ADDRESS] [--terms URL] |
8 | [--staging] | 8 | [--skip-dhparams] [--staging] [--skip-provision-check] |
9 | This program will generate a signed TLS certificate using the ACME protocol | 9 | This program will generate a signed TLS certificate using the ACME protocol |
10 | and the free Let's Encrypt! CA. | 10 | and the free Let's Encrypt! CA. |
11 | 11 | ||
12 | Available options: | 12 | Available options: |
13 | -h,--help Show this help text | 13 | -h,--help Show this help text |
14 | --key FILE filename of your private RSA key | 14 | --key FILE Filename of your private RSA key |
15 | --domain DOMAIN the domain name(s) to certify; specify more than once | 15 | --domain DOMAIN The domain name(s) to certify; specify more than once |
16 | for a multi-domain certificate | 16 | for a multi-domain certificate |
17 | --challenge-dir DIR output directory for ACME challenges | 17 | --challenge-dir DIR Output directory for ACME challenges |
18 | --domain-dir DIR directory in which to domain certificates and keys | 18 | --domain-dir DIR Directory in which to domain certificates and keys |
19 | are stored; the default is to use the (first) domain | 19 | are stored; the default is to use the (first) domain |
20 | name as a directory name | 20 | name as a directory name |
21 | --email ADDRESS an email address with which to register an account | 21 | --email ADDRESS An email address with which to register an account |
22 | --terms URL the terms param of the registration request | 22 | --terms URL The terms param of the registration request |
23 | --staging use staging servers instead of live servers | 23 | --skip-dhparams Don't generate DH params for combined cert |
24 | --staging Use staging servers instead of live servers | ||
24 | (generated certificates will not be trusted!) | 25 | (generated certificates will not be trusted!) |
26 | --skip-provision-check Don't test whether HTTP provisioning works before | ||
27 | making ACME requests; only useful for testing. | ||
25 | ``` | 28 | ``` |
26 | 29 | ||
27 | This program can be used to obtain a certificate from | 30 | This program can be used to obtain a certificate from the |
28 | [Let's Encrypt](https://letsencrypt.org/) using their ACME protocol. | 31 | [Let's Encrypt](https://letsencrypt.org/) certificate authority, using their |
32 | ACME protocol. | ||
29 | 33 | ||
30 | ## Rate Limits | 34 | ## Rate Limits |
31 | 35 | ||
@@ -63,27 +67,35 @@ openssl genrsa 4096 > ${DOMAIN}/rsa.key | |||
63 | 67 | ||
64 | ## Receive certificate | 68 | ## Receive certificate |
65 | 69 | ||
66 | The signed certificate will be saved by this program in | 70 | The signed certificate will be saved by this program in `./${DOMAIN}/cert.pem`. |
67 | ``./${DOMAIN}/cert.der``. You can copy that file to the place your TLS | 71 | A combined certificate, containing the issuer certificate, the private key, and |
68 | server is configured to read it. | 72 | (possibly) DH parameters, will be saved in `./${DOMAIN}/cert.combined.pem`. You |
73 | can copy that file to the place your TLS server is configured to read it. | ||
69 | 74 | ||
70 | You can also view the certificate like so: | 75 | You can also view the certificate like so: |
71 | 76 | ||
72 | ``` | 77 | ``` |
73 | openssl x509 -inform der -in ${DOMAIN}/cert.der -noout -text | less | 78 | openssl x509 -in ${DOMAIN}/cert.pem -noout -text | less |
74 | ``` | 79 | ``` |
75 | 80 | ||
76 | ## Create a certificate for HAProxy | 81 | ## Create a certificate for HAProxy |
77 | 82 | ||
78 | Vo Minh Thu, the original author of this program, suggests to include explicit | 83 | Vo Minh Thu, the original author of this program, suggests to include explicit |
79 | DH key exchange parameters to prevent the [Logjam attack](https://weakdh.org/). | 84 | DH key exchange parameters to prevent the [Logjam attack](https://weakdh.org/). |
85 | This is now automatically performed by default. | ||
86 | |||
87 | Note: generating DH params is CPU-intensive and takes a long time. For that | ||
88 | reason, it is done once per domain, and the result is saved in | ||
89 | `${DOMAIN}/dhparams.pem`. | ||
90 | |||
91 | You can also disable DH generation it with `--skip-dhparams`. | ||
92 | |||
93 | The certificate is generated by this program equivalently to this: | ||
80 | 94 | ||
81 | ``` | 95 | ``` |
82 | > openssl x509 -inform der -in ${DOMAIN}/cert.der \ | 96 | openssl dhparam -out ${DOMAIN}/dhparams.pem 2048 |
83 | -out ${DOMAIN}/cert.pem | 97 | cat ${DOMAIN}/cert.pem \ |
84 | > openssl dhparam -out ${DOMAIN}/dhparams.pem 2048 | ||
85 | > cat ${DOMAIN}/cert.pem \ | ||
86 | lets-encrypt-x1-cross-signed.pem \ | 98 | lets-encrypt-x1-cross-signed.pem \ |
87 | ${DOMAIN}/rsa.key \ | 99 | ${DOMAIN}/rsa.key \ |
88 | ${DOMAIN}/dhparams.pem > aaa.reesd.com-combined.pem | 100 | ${DOMAIN}/dhparams.pem > ${DOMAIN}/cert.combined.pem |
89 | ``` | 101 | ``` |