Let’s Encrypt is a project of the Internet Security Research Group (ISRG), a California public benefit corporation. The CA entered public beta on December 3, 2015, allowing anyone to request a certificate. Unlike traditional CAs, certificates from Let’s Encrypt are obtained through an open API.
Executive Director Josh Aas explained that he was “feeling down about TLS adoption in 2012 when I ran the network group at Mozilla. People have a hard time getting and managing certificates,” he said, “we decided we needed to make this much easier.” ISRG was incorporated in May 2013 and work progressed quietly until the company’s public announcement in November 2014. Prior to the recent public beta launch, Let’s Encrypt issued over 18,000 certificates in private beta.
According to Aas, the new CA’s focus is “ease of use and automation.” He explained that providing certificates for free is intended to help promote TLS adoption, but it is also important for achieving automation. The absence of a billing transaction makes the process easier. Instead of charging for certificates, the organization is funded by corporate sponsorship and donations from individuals.
Traditional CAs usually issue certificates valid for one or two years, but Let’s Encrypt issues much shorter 90 day certificates. Aas explained that since certificates are free and issuance is automated, in the future servers will request new certificates about every 60 days without administrator intervention.
Clients wishing to obtain certificates from Let’s Encrypt use the Automatic Certificate Management Environment (ACME) protocol. The protocol allows multiple validation options, including file-based proof of ownership for web servers. Free software provides administrators with various levels of automation. For example, users of the Apache web server can have the software automatically obtain and install the certificate. Administrators who want more control can have the software obtain a certificate and then install it manually.
I tested Let’s Encrypt on a Debian Linux system running an Apache web server and quickly obtained certificates for two different domains running on the same IP using SNI. Other than one error that was resolved by re-running the software, it worked as advertised. Domain validation, key and certificate request generation, certificate download, and installation was completely automatic. With the help of additional command-line options, I was able to create a simple script to run from cron. However, error handling and automatic retries are required for widespread production use. For example, if the script was scheduled to run every 60 days, and the process failed, my certificates would silently expire 30 days later.
The Let’s Encrypt team are working to improve their free client software. According to Aas, their goal is to provide free software that automatically updates certificates before the end of the public beta period.
Perhaps even more exciting is the opportunity for developers to incorporate ACME protocol capability directly into their products. Web servers could include the functionality to obtain a certificate from Let’s Encrypt. It is also only a matter of time until the various Linux distributions offer a package to automatically obtain certificates from this new CA.
One might expect that existing for-profit CAs would see Let’s Encrypt as a serious threat, but Aas said, “we have not seen a bad reaction. Other CAs see it as inevitable.” He also pointed out that Let’s Encrypt only offers Domain Verification (DV) certificates that associate a public key with a domain. While that is all most servers require, companies that want Organization Validation (OV) or Extended Validation (EV) certificates will still need to purchase them from a commercial CA.
Let’s Encrypt has a lot of work to do before they exit beta, including getting their own root certificate added to the myriad of web browsers currently in use. However, in the interim, IdenTrust has cross-signed the Let’s Encrypt CA certificate to facilitate browser trust. When asked about his goals for the new CA, Aas replied, “we’re going to measure our progress by the percentage of TLS traffic on the web.” That is a great goal. Let’s Encrypt.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…