LINUXMAKER, OpenSource, Tutorials

Security through SSL certificates with Let's Encrypt

If an SSL certificate has been issued for your domain, the website can be accessed via an encrypted connection using "https://". This functionality becomes necessary for every website operator - small business owner, medium-sized enterprise entrepreneur, self-employed person, private person, institution etc. - as soon as you

  • operate an online shop and accept online orders.

  • want to transfer form data.

  • want to manage or transfer sensitive data such as addresses, names, bank details etc.

In any case, you win more together with IT-LINUXMAKER and Let's Encrypt

  • Authentication security:
    SSL makes it clear who is communicating with on the other side. This brings you a significant security advantage.

  • Security through encryption:
    Your data is encrypted, exchanged as letters, exchanged between browser and web server.

  • Trust:
    An SSL certificate guarantees that the browser classifies your website as secure and thus displays it. This brings you trust with your users.

  • SEO optimization:
    Data encryption is a relevant ranking factor for search engines. With an SSL certificate, search engines list your website higher up.

Let's Encrypt is a certification authority that offers free X.509 certificates for Transport Layer Security (TLS). An automated process replaces the previously common complex manual processes involved in creating, validating, signing, setting up and renewing certificates for encrypted websites.

The aim of the project is to make encrypted connections on the Internet the rule. By eliminating the need for payment, web server configuration, validation emails and worry about expired certificates, among other things, the effort for setting up and maintaining TLS encryption should be significantly reduced. On a Linux web server, just two commands should suffice to set up HTTPS encryption, request and install certificates within 20 to 30 seconds.

Let’s Encrypt has an RSA root certificate that is kept in a hardware security module and is not used directly. It is expected to be supplemented by an ECDSA root certificate in the third quarter of 2019. This means that several intermediate certificates are signed, which are countersigned by the certification body IdenTrust. One of them is then used to sign the issued certificates, the other as a replacement for problems with the first. With the IdenTrust signature, the certificates issued can be checked in common web browsers via the pre-installed root certification authorities. So let’s encryption certificates on the client side are usually accepted from the start. Since the end of July 2018, Let's Encrypt's root certificate has been represented in all major root programs.

Let's Encrypt uses the Automatic Certificate Management Environment (ACME) challenge-response process to automate certification. Various requests are made either to subpages on the web server or directly to the domain to be certified. In both cases, a token previously created by Let’s Encrypt is either stored publicly on a special subpage on the web server or as a TXT resource record in the DNS of the domain concerned and queried by Let’s Encrypt server in succession. The response with the token ensures that the applicant controls the web server or directly the name server and the associated domain (domain validation).

These queries must be answered correctly on the server system. The protocol offers various options for this. In one of these, the ACME client software sets up a specially configured TLS server that responds to special requests from the certification authority using server name indication (domain validation using server name indication, DVSNI). However, this procedure is only accepted for a first certificate issue for a domain (so-called "trust on first use", TOFU). Then the alternative validation via an existing certificate is used. If control of an already issued certificate is lost, a certificate must be purchased from a third party in order to receive a Let’s Encrypt certificate again.
The validation procedures are carried out several times over different network paths. To make DNS spoofing more difficult, the checking of DNS entries from several geographically distributed points of view is provided.

Technical details

IT-LINUXMAKER generally uses the technology provided by Let's Encrypt for all of its mail servers as TLS certificates and for the web server configurations for SSL. In principle, commands that are specially provided for the Apache server are sufficient to generate the SSL certificates for the desired domains in an almost automated manner. It is also possible to add multiple hosts or subdomains to a certificate. Correctly configured system tools under Linux then ensure that the SSL certificates can be automatically re-created every 90 days - as long as a certificate issued by Let's Encrypt is valid.

 


IT service and IT consulting

The digitization of business life, essential production processes and private life is in full swing. At the same time, threats from server failures, viruses and cybercrime are increasing. The whole thing is reinforced by neglecting IT security both in the private sphere and in the business world. Protective mechanisms that are really necessary are usually only considered when the damage has already occurred and the restoration of the IT infrastructure has caused enormous costs.
Linux offers you a secure basis in your IT infrastructure right from the start. On the one hand, because it has always been conceived as an operating system geared towards network operation. On the other hand, because the free availability of the source code makes the possibility of defective or misused functions almost impossible. In addition, “Open Source” has always meant permanent improvement by innovative specialists from all over the world. In the meantime, more and more users trust Linux, which among other things provides the kernel for the numerous Android installations, including companies and institutions such as Siemens, BMW, Lufthansa, Deutsche Post AG, Greenpeace and state institutions including the Federal Commissioner for Data Protection.
You are a company, a medium-sized company, a craft company, a sole trader with the appropriate IT infrastructure and you want to fully satisfy your customers with your products. Or you are a private individual with corresponding support requests. Your IT infrastructure should work reliably around the clock. As an expert in this field, IT-LINUXMAKER can protect your information effectively and quickly. With the services of IT-LINUXMAKER you secure your competitive advantage through the stability of your IT infrastructure and your data.

The support contracts from IT-LINUXMAKER are the ideal plus for your IT or development department. IT-LINUXMAKER supports you in all situations related to Linux with administration, monitoring, configuration, troubleshooting and script programming. Where your IT infrastructure is located, how large it is or how many users work in it does not matter for IT-LINUXMAKER.

Checklists - safe digital work

Since the beginning of the corona pandemic, many companies have also been organizing their work via home office regulations. The tips from IT-LINUXMAKER in a practical checklist format show what needs to be considered.

You can find all checklists for safe digital work here:

Secure passwords with the password card

Generate secure passwords of any length with the passwort card. You can check it out here.

 

Fee

Our fees depend on the service/product and the scope. Therefore, we can only state our fees in an offer if we already know your request.

 

Consultation request