Let’s Encrypt launched its Public Beta service recently where you can get a certificate for your domains, for free!
The following statement from their website sums up how it works:
“No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.”
As highlighted by others, the excitement is actually not just about a Certificate Authority (CA) offering free certificates. Let’s Encrypt is enabled by an open protocol that allows interaction with the CA for creating and renewing certificates. Part of the protocol, known as ACME (Automated Certificate Management Environment), is a mechanism for proving to the CA that you own the domain.
If you have a few minutes, I suggest you watch Randy Bush’s presentation on automatic certificate issuance at the recent RIPE71 meeting in Bucharest.
Just how easy is it?
Assuming that you have some experience of managing linux/unix servers using the command line, the process of getting a certificate is really straightforward. You can find the instructions here.
Since the launch of the Public Beta, I have created certificates for a few domains I own. There are probably 3-4 major steps involved. Here is what I had to do for my www.harimau.ml domain.
- Install the client on your server
- Run the client & specify the domain for the certificate
- Wait 1-2 minutes and voila, certificate created! Take note of the expiry date, which is 90 days from when the certificate is created. This means you have to run the Let’s Encrypt tool again to renew the certificate.
- Configure your webserver (apache or nginx for example) to point to the certificate you have generated.
While you at that, you may want to make sure you have the relevant SSL/TLS parameters configured correctly–head over to BetterCrypto.org and check out the latest Applied Crypto Hardening Guide [PDF, 1.4 MB]
I think Let’s Encrypt is a great initiative, which has provided a practical solution for a set of problems. I also like that it is a collective effort, so everyone can contribute to improve the code or protocol. So if you haven’t tried it out, what are you waiting for?
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.