Deploy360 14 March 2016

Let’s Encrypt hits 1 million certificates

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

letsencryptEarly last week, Let’s Encrypt issued its one millionth certificate, a impressive achievement considering it only entered its public beta phase just over three months ago. Let’s Encrypt is a new trusted Certificate Authority (CA) offering free digital certificates used for securing servers for use with TLS applications such as secure web browsing and online financial transactions.

In fact, the 1 million Let’s Encrypt certificates are actually securing approximately 2.5 million fully-qualified domain names as a single certificate can cover multiple domains, and 90% of these have never previously been reachable with HTTPS before. This suggests that making certificates cheap and easy to install indeed encourages the deployment of TLS and the aim of ensuring that secure web browsing becomes the default.

Let’s Encrypt also supports automation to simplify obtaining and managing certificates, as well as encouraging 90 day renewal to limit damage from key compromise and mis-issuance. This is achieved through the Automated Certificate Management Environment (ACME) which offers a standards-based REST API allowing client software to authenticate domains and automatically install certificates on servers without human intervention. A number of ACME-compliant clients have now been developed and are listed on the Let’s Encrypt community pages.

The Let’s Encrypt initiative is supported by sponsoring organisations who have an interest in promoting encrypted communication as the norm on the Internet. Over half of these sponsors have stepped up since the launch, demonstrating how successful the initiative has been.

More information about Let’s Encrypt and how to obtain certificates can be found on the Let’s Encrypt website.

Of course, digital certificates can be used for more than just securing the web. Deploy360 recently tested Let’s Encrypt certificates with the Go6lab mail servers and DANE, and it’s worth reading Part 1 and Part 2 of Jan Žorž’s tutorial on how to do this.

You can also check out whether a server supports the TLS protocol using the tools listed on our TLS Tools page.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...