In this multi-part article, you'll learn how to use the Let's Encrypt ACME version 2 API with ** Python ** for ** SSL certificates **.
The account key is used to provide the ID of the account requesting certificate service. No method such as login / password is used. It is very important to keep your account key pair in a safe place, as your account key is used to issue, renew, and revoke your SSL certificate. If you lose your account key, the certificates created under that account will be put on hold. These certificates cannot be renewed or revoked. In this case, you need to create a new account key and issue a new SSL certificate in place of the lost certificate. If a malicious third party gains access to your account key, you can change your contact email address and revoke your certificate. You cannot issue a new SSL certificate for your domain because it requires HTTP or DNS validation of your domain name.
Could not find any documentation on the size of the private key. I'm testing with a 4096 bit key size and this works fine.
There are many ways to create an account key. Let's look at two ways, one is to write a Python program and the other is to use OpenSSL from the command line. Includes an example showing how to use the private key.
This example does not use the openssl python library. This example uses the crypto library, which makes creating a private key very easy. The following example uses openssl, which is more complex but offers more options.
""" Let's Encrypt ACME Version 2 Examples - Create Account Key """ from Crypto.PublicKey import RSA filename = 'account.key' key = RSA.generate(4096) with open(filename,'w') as f: f.write(key.exportKey().decode('utf-8'))
import sys import OpenSSL from OpenSSL import crypto filename = 'account.key' key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 4096) key_material = crypto.dump_privatekey(crypto.FILETYPE_PEM, key) val = key_material.decode('utf-8') with open("account.key", "wt") as f: f.write(val)
OpenSSL command line example
openssl genrsa -out account.key 4096
OpenSSL command line options
1, genrsa --Generate RSA private key (PKCS # 1 format). 2, -out filename --Outputs the key to the specified file. 3,4096-The size of the private key generated in bits View details and confirm your new account key.
openssl rsa -in account.key -text -check -noout
Extract the public key from the private key.
openssl rsa -pubout -in account.key -out account.pub
A certificate key is a key pair used to sign a CSR (Certificate Signing Request). This is not an account key, even though both are key pairs. For security reasons, you should avoid signing your account key in the CSR. In general, it is common to create a new certificate key for each SSL certificate.
Repeat the above example to create a certificate key. The difference is that the file name is the domain name that issues the certificate. Change "domain.com" to your domain name.
""" Let's Encrypt ACME Version 2 Examples - Create Certificate Key """ from Crypto.PublicKey import RSA domainname = "example.com" filename = domainname + '.key' key = RSA.generate(4096) with open(filename,'w') as f: f.write(key.exportKey().decode('utf-8'))
OpenSSL command line example.
openssl genrsa -out example.com.key 4096
OpenSSL command line option.
1, genrsa --Generate RSA private key (PKCS # 1 format). 2, -out filename --Outputs the key to the specified file. 3,4096-The size of the private key generated in bits
A CSR is a file (message) sent to a CA (Certificate Authority --Let's Encrypt) to apply for an SSL certificate. The CSR contains details such as the company name, location, and domain name of the person applying for the SSL certificate. Since Let's Encrypt issues only DV (Domain Validated) SSL certificate, only the domain name is verified in the generated SSL certificate, only the domain name is described, and the contact information is described. An optional email address for is also listed. Details such as company name and location are not included.
Creating a CSR is easy with OpenSSL. All you need is a domain name and optionally an email address. The following example replaces domainName with the domain name and emailAddress with the email address.
This example removes all subject fields such as C, ST, L, O, and OU that Let's Encrypt does not handle, and adds the subjectAltName extension that Chrome requires.
""" Let's Encrypt ACME Version 2 Examples - Create CSR (Certificate Signing Request) """ importOpenSSL KEY_FILE = "certificate.key" CSR_FILE = "certificate.csr" domainName = 'api.neoprime.xyz' emailAddress = '[email protected]' def create_csr(pkey, domain_name, email_address): """ Generate a certificate signing request """ # create certificate request cert = OpenSSL.crypto.X509Req() # Add the email address cert.get_subject().emailAddress = email_address # Add the domain name cert.get_subject().CN = domain_name san_list = ["DNS:" + domain_name] cert.add_extensions([ OpenSSL.crypto.X509Extension( b"subjectAltName", False, ", ".join(san_list).encode("utf-8")) ]) cert.set_pubkey(pkey) cert.sign(pkey, 'sha256') return cert # Load the Certicate Key data = open(KEY_FILE, 'rt').read() # Load the private key from the certificate.key file pkey = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, data) # Create the CSR cert = create_csr(pkey, domainName, emailAddress) # Write the CSR to a file in PEM format with open(CSR_FILE,'wt') as f: data = OpenSSL.crypto.dump_certificate_request(OpenSSL.crypto.FILETYPE_PEM, cert) f.write(data.decode('utf-8'))
[Part 3](https://www.alibabacloud.com/blog/let%27s-encrypt-acme-with-alibaba-cloud-api-gateway-and-cdn-%E2%80%93-part-3_593783? In spm = a2c65.114614220.127.116.11065dd78S1HZO), Let's Encrypt to generate and install SSL certificate for Alibaba Cloud API Gateway and CDN using account.key, certificate.key, certificate.csr files. This section describes each item of ACME API.