Let's Encrypt

Let’s Encrypt is a certificate authority that is public, free, API-driven, and trusted by browsers/clients. Integrating a Let's Encrypt certificate with SMA enhances security and eases the deployment process. Let's Encrypt certificates are valid for 90 days and are renewed automatically after 60 days.

Let's Encrypt certificates can be configured for standalone and CMS/GTO deployments where CMS manages the Let’s Encrypt certificate(s) for the cluster.

Prerequisites:

• The appliance must be able to access the Let's Encrypt signing CA over the internet.
• Let's Encrypt signing CA must be able to resolve all the Subject Alternative Name (SAN) names included in the certificate in public DNS.
• All the SAN names must resolve to the public IP address of the standalone appliance.
• The Let's Encrypt signing CA must be able to access port 443 on the public interface (or via NAT, as long as the name resolves).

Creating a Let's Encrypt certificate

To create a Let's Encrypt certificate in AMC

1. Log in to AMC.
2. Navigate to System Configuration > SSL Settings.

3. Click Edit under the SSL Certificates group.

   

4. To create a certificate, click + icon and select Create Let's Encrypt certificate option.

   

5. In the Fully qualified domain name field, enter the complete domain name. The FQDN entered here appears in the certificate and visible to users. You must also add FQDN to your DNS.

   Wildcard characters are not supported in the FQDN field.

6. In the Alternatives names field, enter any other name for FQDN. The alternative name entered here appears in the certificate using the Subject Alternative Name (SAN) certificate extension.

   Let's Encrypt supports up to 100 SANs per certificate.

7. In the Key type drop-down field, select the key type based on your requirement. The supported key types are RSA and EC.
8. In the Key size drop-down field, select the key size based on your requirement. The supported key sizes are 2048, 3072, and 4096 bits.
9. In the Signature drop-down field, select the secure hash algorithm based on your requirement. The supported signatures are SHA 512, SHA-384, and SHA-256.
10. Select Make this the default certificate check box. Selecting this check box replaces the default certificate for end user connections and moves the certificate to first in the list.

11. In order to use the Let's Encrypt free certificate authority service, you must agree to their terms of service. Select I agree to the Let's Encrypt terms of service check box.

    

12. Click Create.

    The Let's Encrypt certificate is created and you can view them under System Configuration > SSL Settings.

    

13. Click Apply Pending Changes.

Once you completed creating a Let's Encrpyt certificate, browse to the host name and ensure that the certificate is valid and verified.

Click More information to view the validity period and other details.

Renewing the certificate

Let's Encrypt certificates are valid for 90 days and are renewed automatically after 60 days. You can also renew it manually based on your requirements.

If your list of FQDNs changes, then you need to create a new Let's Encrypt certificate rather than renewing the certificate.

To renew the certificate manually

1. Log in to AMC.
2. Navigate to System Configuration > SSL Settings.

3. Click Edit under the SSL Certificates group.

   

4. In the General tab, select the certificate you want to renew and click .

   A success message is displayed and the certificate is renewed for the next 90 days. You can view the certificate validity updated under Valid Through field.

   

Viewing the Logs

The SMA appliance records system and user events in a series of log files. The creation of a Let's Encrypt certificate and the changes made on the certificate are captured in the Logs.

To view the logs

1. Log in to AMC.

2. Navigate to Monitoring > Logging.

   All the events on Let's Encrypt certificate are displayed under the Management audit log file.