Let’s Encrypt ACME with Alibaba Cloud API Gateway and CDN — Part 2

By John Hanley, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

In this multipart article, we will discuss about SSL certificates in detail to remove any doubts on this topic. We will learn how to use the Let’s Encrypt ACME version 2 API using Python to develop software that can create, install, renew and revoke SSL certificates for Alibaba Cloud. Although we have used Alibaba Cloud products for the tutorial, the same principles apply to any computing service that supports X.509 SSL certificates.

In Part 1, we discussed the concepts related to SSL Certificates and Let’s Encrypt in detail. In this part, we will explain how to create your Account Key, Certificate Key and Certificate Signing Request (CSR).

The following source code examples do not have error checking. These code snips are designed to demonstrate how to interface with ACME. For more complete examples, review the source code in the examples package that you can download: ACME Examples in Python (Zip — 20 KB)

Account Key

The Account Key is used to provide the identity of the account that is requesting certificate services. There is no login / password or similar method used. Therefore, it is very important to save your Account Key key pair in a safe location as the Account Key is used to issue, renew and revoke SSL certificates. If you lose the Account Key the certificates that were created under that account will be in limbo. You will not be able to renew or revoke those certificates. In this case you will need to create a new Account Key and issue new SSL certificates to replace the once that you lost control of. If a malicious third party obtained access to your Account Key, they could change the contact email address and revoke your certificates. They would not be able to issue new SSL certificates for your domains as this would require either HTTP or DNS validation of the domain names.

I could not find documentation on the size of the private key. I have been testing with a key size of 4096 bits and this works just fine.

There are numerous methods to create the Account Key. Let’s look at two methods: writing a Python program and using OpenSSL from the command line. Included are examples showing how to work with private keys.

This example does not use the openssl python libraries. This example uses the crypto libraries which makes creating a private key very simple. Following this example is one using openssl which is more complicated but has more options.



OpenSSL Command Line Example:

OpenSSL command line options:

  1. genrsa — generate an RSA private key (PKCS#1 format)
  2. -out filename — output the key to the specified file
  3. 4096 — the size of the private key to generate in bits

View details and verify the new account key:

Extract the public key from the private key:

Certificate Key

The Certificate Key is a key pair used to sign CSRs (Certificate Signing Request). This is not the Account Key even though both are key pairs. For security reasons you do not want to use the Account Key to sign CSRs. Common practice is to create a new Certificate Key for each SSL Certificate.

We will repeat the above examples to create the certificate key. The difference is that the filename will be the name of our domain name that we will be issuing the certificate for. Change “domain.com” to your domain name.


OpenSSL Command Line Example:

OpenSSL command line options:

  1. genrsa — generate an RSA private key (PKCS#1 format)
  2. -out filename — output the key to the specified file
  3. 4096 — the size of the private key to generate in bits

CSR — Certificate Signing Request

A CSR is a file (message) sent to a CA (Certificate Authority — Let’s Encrypt) to apply for an SSL certificate. The CSR contains details about who is applying for the SSL certificate such as company name, location, domain name, etc. Since Let’s Encrypt only issues DV (Domain Validated) SSL certificates, only the domain names are validated and only the domain names are included in the generated SSL certificate plus an optional email address for contact information. Details such as company name, location, etc. are not included.

Generating a CSR is easy with OpenSSL. All that is required is the domain name and optionally an email address. In the following example, replace domainName with your domain name and emailAddress with your email address.

This example also removes all the subject fields that Let’s Encrypt does not process such as C, ST, L, O and OU and does add the subjectAltName extension that Chrome requires.



In Part 3 we will begin going through each Let’s Encrypt ACME API using the account.key, certificate.key and certificate.csr files to generate and install SSL certificates for Alibaba Cloud API Gateway and CDN.



Follow me to keep abreast with the latest technology news, industry insights, and developer trends.