If you’ve ever had the task of requesting and installing a digital certificate on a web server or network device, you’ve probably found it tedious. And maybe you were surprised at the price public certificate authorities charge for their most basic certificates. While any self-signed certificate can provide an identity to set up a secure communication channel, it’s difficult to assert with a trusted third party that you are who your certificate says you are. Enter: Let’s Encrypt.
Let’s Encrypt is a project that was started in 2012 by two Mozilla employees, Josh Aas and Eric Rescorla. It was announced publicly in November 2014, with a goal to make encrypted communications a default on the Internet by providing the means for a free, automatic, secure, transparent and open solution to issue digital certificates to anyone.
Sound too good to be true? Well, after issuing 26,000 certificates during a limited beta period, Let’s Encrypt entered a public beta phase on in December 2015, and is sponsored by Cisco, Mozilla, EFF, Akamai, Facebook and others. As great as this is, it’s not meant to replace the existing certificate infrastructure currently in place, because Let’s Encrypt offers only Domain Validated (DV) certificates, and not the Organization Validated (OV) or Extended Validation (EV) certificates. Although DV certificates are very useful when asserting ownership/control of a web domain, they are not suitable for e-commerce or online banking. The difference is in the amount of verification done before the certificate is issued.
Right now Let’s Encrypt is supported on Unix(-ish) operating systems that include Python 2.6 and 2.7, and it uses its own protocol, Automated Certificate Management Environment, to automate request, issuance and revocation tasks.
I’m excited to set this up on my own network and to see how it evolves over time. Hopefully, it will expand to other web servers, mail servers and network appliances.
Lastly, feel free to comment below with any questions and let’s get a conversation started.