Skip links

Jody Boucher

Software Engineer

Let's Encrypt - free and mostly automated HTTPS

HTTPS is the secure version of the HTTP protocol that is the foundation of web communication between a browser and a web site. An HTTPS connection is an important aspect of any website. HTTPS helps to instill confidence and trust in a website by insuring the privacy, integrity and safety of any interactions a client has with the website. If that is not enough to convince you of the importance of HTTPS consider that Google rewards secure websites with higher rankings.

Until very recently, enabling HTTPS for a website involved an expenditure of money for the certificate and a lot of time spent dealing with the complexity of obtaining, installing, and renewing the certificate.

HTTPS for everyone

Let's Encrypt is a new service (still in beta as of this writing) of Internet Security Research Group (ISRG) sponsored by a number of large players in the internet space. The motivation behind Let's Encrypt is to advance security practices on the web. It is trying to accomplish this by providing a couple services to the public: a certificate authority (CA) to provide free certificates and automated (mostly) certificate management.

Let's Encrypt - free and automated certificates for HTTPS

Let's Encrypt certificates and certificate authority

Let's Encrypt has established itself as a certificate authority. At present, Let's Encrypt is issuing certificates from its intermediate CA (Let’s Encrypt Authority X1) which is cross-signed by IdenTrust while support for its root certificate (ISRG Root X1) makes its way into browsers. The certificates issued by Let's Encrypt provide domain validation only. They enable encrypted communication between the validated domain and the client. The certificates provided by Let's Encrypt are not Extended Validation certificates and these types of certificates will likely not be offered.

Another important point to note is that Let's Encrypt issues short duration certificates. While most certificates are issued with a one year expiration, Let's Encrypt issues certificates valid for 90 days. The automation provided by the Let's Encrypt client should relieve most if not all of the pain associated with certificate renewal, so this should not be an issue.

Let's Encrypt client

The other significant service provided by Let's Encrypt is a client designed to run on the web server. The client automates the process of obtaining a certificate (including validating the domain), installing and securely configuring the certificate, and lastly renewing the certificate.

Trying it out

In the coming days I will configure this site with a certificate using Let's Encrypt. I will post the procedure and evaluate the process once complete.