Earlier this month Let’s Encrypt entered public beta, which is set to revolutionise the way SSL certificates are obtained and renewed.
What is this all about?
If you care at all about privacy, particularly for transactions such as from an online store, you need to ensure the data is sent across the internet is encrypted. This can be done by communicating over SSL, requiring an SSL certificate.
Traditionally, SSL certificates had to be purchased from a Certificate Authority, sometimes costing up to $500 AUD per year for the most basic level of protection, depending on the brand name of the provider.
The process of procuring and installing a certificate was a bit of a hassle. Generally the steps involved included
- Generate a Private Key and Certificate Signing Request (CSR)
- Order an SSL certificate from a reseller, providing the CSR
- Ensure you have a particular email address at your domain, e.g. firstname.lastname@example.org or email@example.com.
- Wait for the reseller to send you a verification email
- Follow a link from the email
- Wait for the reseller to issue you a certificate
- Install the certificate on the server
- Repeat every year when the certificate expires
What’s that you say? You have multiple domains? A test site? Maybe you need more than one certificate, or a wildcard certificate. The prices go up again.
Enter Let’s Encrypt
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. By automating the validation and renewal process you can procure a certificate instantly and never have to worry about renewing it. And since it’s free you can install it on all of your websites without racking up a huge credit card bill.
How does it work?
Most of the magic happens via a client program run on the web server.
The first step is to verify control of the domain to the Certificate Authority. The traditional method would be to create a specific email address (eg firstname.lastname@example.org) and click a link from an email, requiring human interaction. Let’s Encrypt requires an arbitrary file to exist on the web server in order to prove verification, similar to authenticating for Google Webmaster Tools. This file must be signed with the automatically generated private key in order to validate.
Once the client program is verified it is free to request, renew and revoke certificates.
The client can be used to generate standalone certificates, or via plugins it can automatically install on an Apache VirtualHost, for example.
Who’s behind this project?
Let’s Encrypt is developed by the Internet Security Research Group (ISRG). A few major sponsors include Mozilla, Akamai, Cisco and Facebook. With big players this size behind the project you can expect this to take off.
How can I get a certificate?
We are running the Lets Encrypt client on our hosting servers, so if you’re hosting with us contact us to have this enabled on your account.
The only cost to you is a one-time fee to install, enable and test the service. Once it is running there are no on-going fees just peace of mind that your site is secure).