chapter nine

9 Working with X.509 Certificates: Lifecycle and Self-Signing

This chapter covers

Optimal way to do local development using a laptop scoped certificate authority
Creating X.509 digital certificates with the Automated Certificate Management Environment (ACME) protocol
Renewing X.509 digital certificates using ACME

So far in chapter 8, we’ve looked at what’s inside an X.509 certificate. Basically, it’s got two things: a public key, and a bunch of extra info about that key. We poked around some of the more important bits like who the certificate belongs to (the subject), who gave it out (the issuer), how long it’s good for, and a few rules and restrictions.

You’ve also learned how to check if a certificate is legit: you follow the trail of who issued it, step by step, all the way up to a trusted root certificate. Kinda like checking if someone’s ID was signed by someone you actually trust.

9.1 Certificate Lifecycle: Issuance to revocation

9.1.1 Creating a keypair

9.1.2 Creating a Certificate Signing Request (CSR)

9.1.3 CSR Validation

9.1.4 Certificate Issuance

9.1.5 Certificate Revocation

9.1.6 Exercises

9.2 Private Certificate Authority for Local Development

9.2.1 Create a Self-Signed Root Certificate

9.2.2 Install the Certificate Authority into the Operating System Trust Store

9.2.3 Issue a certificate using the personal certificate authority

9.2.4 Exercises

9.3 Answers to exercises

9.4 Summary