←back to thread

489 points gslin | 1 comments | | HN request time: 0.283s | source
Show context
selectnull ◴[] No.42191822[source]
What I'm most thankful is the ACME protocol.

Does anyone remember how we renewed certificates before LE? Yeah, private keys were being sent via email as zip attachments. That was a security charade. And as far as I know, it was a norm among CAs (I remember working with several).

Thank you Let's Encrypt.

replies(6): >>42191895 #>>42191915 #>>42191936 #>>42192138 #>>42192258 #>>42194019 #
chrismorgan ◴[] No.42191915[source]
What of Certificate Signing Requests? The whole purpose was that you wouldn’t send private keys around.

(I was only slightly involved with a couple of TLS certificates before then, and certainly they enforced the CSR approach, but maybe such terrible practice was more common in the real world that I knew.)

replies(1): >>42191979 #
1. selectnull ◴[] No.42191979[source]
My memory of the whole process is kinda fuzzy, you're probably right about CSRs. Hopefully the private keys were not sent around via unencrypted email.

But the point still stands: the whole process was a nightmare, no automation, error prone, renewal easily forgetable...

The large companies could have had a staff to manage all that. I was just a solo developer managing my own projects, and it was a hassle.