10 Working with X.509 Certificates: Lifecycle and Self-Signing
This chapter covers
- Optimal way to do local development using a laptop scoped certificate authority
- Using the Automated Certificate Management Environment (ACME) protocol to create and renew X.509 digital certificates issued by Let’s Encrypt certificate authority
So far, in chapter 8, we have seen how X.509 certificates contain two types of data: a public key, and metadata about the key. We have examined important metadata fields: subject, issuer, validity, and constraints. You learned some of the rules for verifying a certificate by following the issuer chain and validating each certificate authority certificate in the chain all the way to a root certificate. You know that certificate authorities issue certificates, but not how the issuance process works?
In this chapter we refine our understanding of certificate authorities by learning the certificate lifecycle from issuance to expiry or revocation and usage of self-signed certificates. We will continue the exploration using the openssl CLI to build up our certificate authority. While developers do not need to create and manage their own certificate authorities, the key to developer certificate superpowers lies in understanding the complex ideas that we will explore in this chapter. So, grab another cup of coffee, and let’s dive in.