Introduction to Let’s Encrypt
October 11, 2018
Justin Sun
Padlock icon
• Your browser is communicating securely with the nejug.org through an encrypted channel
• Your browser trusts nejug.org because the NEJUG website has a certificate• The certificate is valid – not expired and not revoked
• The certificate is signed by a Certificate Authority (CA) that your browser trusts
Certificates and Certificate Authorities
When you visit a website over a secure connection, the website presents your browser with a digital certificate. This certificate identifies the hostname of the site and verifies the site owner. Certificates are issued to website operators and signed by a Certificate Authority (CA). The proof of identity represented in a Certificate may be trusted by the user as long as the user trusts the Certificate Authority. Modern operating systems typically ship with over 200 trusted CAs, some of which are operated by governments. Today’s model requires all users to trust that the hundreds of CA organizations correctly issue certificates...
Source: https://transparencyreport.google.com/https/certificates
Let’s Encrypt
• Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
• Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
• Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
Source: https://letsencrypt.org/about/
Automatic Certificate Management Environment (ACME)• Protocol for interacting with a CA
• Verify that applicant owns a domain
• Issuance of the certificate
Source: https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.6.1
Using Let’s Encrypt
• Domain owner provides proof of ownership of a domain
• Let’s Encrypt verifies information submitted
• If verification is successful, the domain owner can create a new certificate, good for 90 days
How it works – Domain owner
• Verify domain ownership – File or DNS change
• Verify keypair ownership – Sign nonce
Source: https://letsencrypt.org/how-it-works/
How it works - CA
Source: https://letsencrypt.org/how-it-works/
How it works – certificate operations
• Create certificate
• Renew within 30 days of expiration
• Revoke certificate
Growth
Date Certificates issued
March 8, 2016 1 million
April 21, 2016 2 million
June 3, 2016 4 million
June 22, 2016 5 million
September 9, 2016 10 million
November 27, 2016 20 million
December 12, 2016 24 million
June 28, 2017 100 million
August 6, 2018 115 million
September 14, 2018 380 million
Source: https://en.wikipedia.org/wiki/Let%27s_Encrypt
How many certificates have been issued?
Resources
• Let’s Encrypt Website: https://LetsEncrypt.org
• Wikipedia entry: https://en.wikipedia.org/wiki/Let%27s_Encrypt