“Playtime is over, Star Fox!” Err I mean.. “StarCom!”

Star Fox on N64… those where the good ol’ days. Not only do we have to move on from those lengthy joyful summer days playing Star Fox on N64, but also from our free SSL CA friends at StarCom.

StarCom was bought out by a Chinese CA (Wosign) and were caught backdating certificates and issuing certificates for domains that people didn’t own.  StarCom certficiates are no longer trusted in Firefox and Chrome.  They are in the process of re-issuing new root certs, but for now stay far, far away from them….

StarCom is (well, was) the only competition to Let’s Encrypt in the free certificate space. It is far and away the cheapest direct provider of wildcard certificates (which are impossible to get for free), unless you move into reseller territory. And even their free certificates last four times as long, and don’t require the use of certbot.

Certainly, Let’s Encrypt works great for a lot of peoples’ needs. But for those it doesn’t (and there’s more of them than you might think), this is seriously bad news.

A real bummer – I always liked StarCom because of their approach to charge for verification (with increasing costs for each higher trust level) but not for issuing certs (while still manually checking every cert request, at least for any OV&EV cert in my case).

I used StarCom’s certificates in my labs and even suggested them to a few customers in the past to get around those hefty price tags associated with SSL certificates.

Now that StarCom is SOL, my hand has been forced and I must renew my certificates before my browser starts to yell at me….. Let’s Encrypt, lets see what you got!

Stumbling around on the interwebs to make Let’s Encrypt work for me I found this nifty GitHub whose author titles the repository: A .NET library and client for the ACME protocol (Let’s Encrypt CA). The handy QuickStart guide served me well but I want to expand on some of the gotchas that I had ran into:

  • The Certificate is only valid for 90 days. You will have to generate a new certificate via this process below to have a valid certificate after the validity period expires.
  • The Root CA is DST Root CA X3
  • The Intermediate CA is Let’s Encrypt Authority X3
  • Signature Algorithm is SHA-256 with RSA Encryption
  • Key Size is 2048 bits
  • Valid CA in common web browsers such as Chrome, FireFox, IE etc.
  • You can have up to 100 SANs
  • Let’s Encrypt Rate Limits

1. ACMESharp Installation

  • First, install the ACMESharp PowerShell module:

2016-11-28-09_40_52-start1

  • The workstation I was running on did not like that the module was going to make the command ‘Get-Certificate’ available even though it already was. Since I am doing all this work on a throw-away VM, I chose to AllowClobber.

 2016-11-28-09_40_52-start

  • Then, per the QuickStart guide, I loaded the module:

2. Vault Initialization

  • Let’s encrypt stores your Certificates and related artifacts in what they call a Vault. To use Let’s Encrypt, you will have to start by initializing a Vault.
    • Note, if you run as Administrator, your Vault will be created in a system-wide path, otherwise it will be created in a private, user-specific location.

3. Register

  • Register yourself with the Let’s Encrypt CA:
    • Provide a method of contact, e.g. an email (note, LE does not support the tel: contact method)
    • Accept their Terms-of-Service (TOS).

4. Set your Domain Identifier

  • Submit a DNS domain name that you want to secure with a PKI certificate.
  • If you want to create a SAN certificate, you will have to do this step, 5, and 6 for each “myserver.example.com” you want to include. I recommend creating all of your PowerShell cmdlets ahead of time to ease this tedious process.

5. Prove Domain Ownership – DNS Challenge

  • The Quick-Start guide found on the ACMESharp GitHub includes 3 methods to prove domain ownership. For my sake, the easiest way to prove I owned my domain was to complete what is refered to as a DNS Challenge.
  • If you want to handle the DNS Challenge manually, use the following cmdlet and to print out the necessary instructions that you need to follow on your DNS server/service of choice. Implement the steps described in the instructions before moving on to the next step.

6. Submit the Challenge Response to Prove Domain Ownership

  • Once you have handled the Challenge using one of the methods in Step #5, you need to let the LE server know so that it can perform a verification.
  • I chose to use the DNS Challenge method, so I used this cmdlet to submit my challenge:

7. Verify the Status of the Challenge

  • Once the Challenge response is submitted, the validation usually takes anywhere from seconds to minutes to perform. I performed a check status of the validation for my domain using the following command.

  • Until the Challenge has been verified, you should see a status of pending.
  • If the Challenge fails for any reason you will see a status of invalid. At this point, you cannot re-attempt the same exact Challenge without first Submitting a new DNS Identifier (Step #4).
  • If the Challenge is successful, you will see a status of valid.

2016-11-28-18_54_14-windows-shell-experience-host

  • Once the Challenge has been successfully validated, you can check the overall status of the Domain Identifier, which should be valid as well.

8. Request and Retrieve the Certificate

  • After you have proved your ownership of the domain name you wish to secure, you can create a new PKI certificate request, and then submit it for issuance by the LE CA.

Subject Alternative Names (SAN)

If you want to generate a CSR that lists multiple names, you can use the Subject Alternative Names extension of the PKI certificate request to list multiple additional names other than the primary Subject Name. To do so you specify the -AlternativeIdentifierRefs option with a list of one or more additional Identifier references.

9. Export the Certificate

I personally ended up exporting all of the items below for my certificate to give myself the most flexibility as possible. You can export the certificate in a variety of ways such as the following:

Export Private Key

You can export the private key in PEM format:

Export CSR

You can export the Certificate Signing Request (CSR) in PEM format:

Export Certificate Issued By LE

You can export your public certificate that was signed and issued by the Let’s Encrypt CA in PEM or DER format:

Export Issuer Certificate

You can export the public certificate of the issuer, that is, the CA’s signing intermediary certificate:

Export PKCS#12 (PFX) Archive

You can export the certificate and related assets in PKCS#12 archive (.PFX used by Windows and IIS):

Final Thoughts

All in all, a fairly painless procedure to get yourself a free 90 day trusted SSL certificate for your labs and anything else you see fit so long as you can live with renewing once ever three months. Let’s Encrypt is still fairly new, and may have some exciting stuff for us in the near future as it relates to free SSL certificates. Until then, I’ll be harnessing the Powers of PowerShell.