chapter nine

9 Working with X.509 certificates: Life cycle and self-signing

This chapter covers

Doing local development using a laptop-scoped certificate authority
Creating X.509 digital certificates with the Automated Certificate Management Environment (ACME) protocol
Renewing X.509 digital certificates using ACME

In chapter 8, we looked at what’s inside an X.509 certificate. Essentially, it has two things: a public key and a bunch of extra info about that key. We poked around in some of the most important bits, such as who the certificate belongs to (the subject), who gave it out (the issuer), how long it’s good for, and a few rules and restrictions.

We also learned how to check whether a certificate is legitimate: follow the trail of who issued it step by step all the way up to a trusted root certificate. The process is like checking whether someone’s ID was signed by someone you trust.

9.1 Certificate life cycle: Issuance to revocation

9.1.1 Creating a key pair

9.1.2 Creating a CSR

9.1.3 CSR validation

9.1.4 Certificate issuance

9.1.5 Certificate revocation

9.1.6 Exercises

9.2 Private CA for local development

9.2.1 Creating a self-signed root certificate

9.2.2 Installing the CA in the operating system’s trust store

9.2.3 Issuing a certificate using the personal CA

9.2.4 Exercises

9.3 Exercise answers

Summary