introduction to let’s encrypt · let’s encrypt •free: anyone who owns a domain name can use...

Introduction to Let’s Encrypt

October 11, 2018

Justin Sun

Padlock icon

• Your browser is communicating securely with the nejug.org through an encrypted channel

• Your browser trusts nejug.org because the NEJUG website has a certificate• The certificate is valid – not expired and not revoked

• The certificate is signed by a Certificate Authority (CA) that your browser trusts

Certificates and Certificate Authorities

When you visit a website over a secure connection, the website presents your browser with a digital certificate. This certificate identifies the hostname of the site and verifies the site owner. Certificates are issued to website operators and signed by a Certificate Authority (CA). The proof of identity represented in a Certificate may be trusted by the user as long as the user trusts the Certificate Authority. Modern operating systems typically ship with over 200 trusted CAs, some of which are operated by governments. Today’s model requires all users to trust that the hundreds of CA organizations correctly issue certificates...

Source: https://transparencyreport.google.com/https/certificates

Let’s Encrypt

• Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.

• Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.

• Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.

Source: https://letsencrypt.org/about/

Automatic Certificate Management Environment (ACME)• Protocol for interacting with a CA

• Verify that applicant owns a domain

• Issuance of the certificate

Source: https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.6.1

Using Let’s Encrypt

• Domain owner provides proof of ownership of a domain

• Let’s Encrypt verifies information submitted

• If verification is successful, the domain owner can create a new certificate, good for 90 days

How it works – Domain owner

• Verify domain ownership – File or DNS change

• Verify keypair ownership – Sign nonce

Source: https://letsencrypt.org/how-it-works/

How it works - CA

Source: https://letsencrypt.org/how-it-works/

How it works – certificate operations

• Create certificate

• Renew within 30 days of expiration

• Revoke certificate

Growth

Date Certificates issued

March 8, 2016 1 million

April 21, 2016 2 million

June 3, 2016 4 million

June 22, 2016 5 million

September 9, 2016 10 million

November 27, 2016 20 million

December 12, 2016 24 million

June 28, 2017 100 million

August 6, 2018 115 million

September 14, 2018 380 million

Source: https://en.wikipedia.org/wiki/Let%27s_Encrypt

How many certificates have been issued?

Resources

• Let’s Encrypt Website: https://LetsEncrypt.org

• Wikipedia entry: https://en.wikipedia.org/wiki/Let%27s_Encrypt