10 Working with X.509 Certificates: Lifecycle and Self-Signing

 

This chapter covers

  • Optimal way to do local development using a laptop scoped certificate authority
  • Using the Automated Certificate Management Environment (ACME) protocol to create and renew X.509 digital certificates issued by Let’s Encrypt certificate authority

So far, in chapter 8, we have seen how X.509 certificates contain two types of data: a public key, and metadata about the key. We have examined important metadata fields: subject, issuer, validity, and constraints. You learned some of the rules for verifying a certificate by following the issuer chain and validating each certificate authority certificate in the chain all the way to a root certificate. You know that certificate authorities issue certificates, but not how the issuance process works?

In this chapter we refine our understanding of certificate authorities by learning the certificate lifecycle from issuance to expiry or revocation and usage of self-signed certificates. We will continue the exploration using the openssl CLI to build up our certificate authority. While developers do not need to create and manage their own certificate authorities, the key to developer certificate superpowers lies in understanding the complex ideas that we will explore in this chapter. So, grab another cup of coffee, and let’s dive in.

10.1 Certificate Lifecycle: Issuance to revocation

10.1.1 Creating a keypair

10.1.2 Creating a Certificate Signing Request (CSR)

10.1.3 CSR Validation

10.1.4 Certificate Issuance

10.1.5 Certificate Revocation

10.2 Private Certificate Authority for Local Development

10.2.1 Create a Self-Signed Root Certificate

10.2.2 Install the Certificate Authority into the Operating System Trust Store

10.2.3 Issue a certificate using the personal certificate authority

10.3 Summary