Written by mnovasoft

Let’s Encrypt, free SSL encryption to everyone.

Let’s Encrypt!

I recently started to focus on the Let’s encrypt free certification authority, a total revolution in the way encryption is offered.  I thought it would be useful to write this article and here we are.

For those of you that don’t know what it is, a short description from the service’s home page

 

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

 

Without the risk to oversimplify the concept behind it,  you can have a fully trusted, fully operational, SSL certificate for free.

Wait, hold on, free SSL certificates? Why?

HTTPS Everywhere logo

The letsencrypt initiative is the result of a worldwide movement where people aim to fully encrypt the entire internet. In other words, the basic principle of this movement is that the ability to protect own data is part of the rights of a modern internet citizen.

The initiative started thanks to 3 main players  Electronic Frontier Foundation,  Mozilla Foundation and the University of Michigan.

Since then, several sponsors started to support the letsencrypt initiative. Here is a link with all the major players behind it (https://letsencrypt.org/sponsors/)

More links about this topic, at the end of this article.

 

 

What is the difference between this CA and others?

“Lets Encrypt” CA  is a fully features/fully recognized CA, period.

The difference between this CA and other CAs is in mainly in:

  • The level of professional support they provide
  • No warranty on the provided certificates (while others offer up to several millions of dollars of warranty)
  • It is fully automated, there is no human interaction or (useless) additional controls
  • The CA does not validate the legal or offline identity of the certificate applicant
  • The issued certificates cannot be used for email TLS or Code signing
  • The validity of their certificates lasts for a maximum of 90 days. This is very important. The good news is that they offer a suite which makes the renewal extremely easy (and it can be automated :))

Is it a well-recognized Certification Authority?

The certification authority is extremely well recognized by modern browsers and systems

– Mozilla Firefox, which implements its own certification authority trust system, recognizes it.
https://mozillacaprogram.secure.force.com/CA/CACertificatesInFirefoxReport

– Chrome, which uses the underlying OS certification authority trust system, is well covered by OS (Windows, Linux, MAC OSX)
http://www.chromium.org/Home/chromium-security/root-ca-policy

– Internet Explorer, uses the underlying OS CA trust mechanism

Windows recognizes the LetsEncrypt CA since it is cross-signed with the “DST Root CA X3”, part of the windows trusted CAs
https://social.technet.microsoft.com/wiki/contents/articles/37425.microsoft-trusted-root-certificate-program-participants-as-of-march-9-2017.aspx

(for a full set of compatibility information, refer to this article https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394)

Why should I use an SSL certificate?

To protect the information you operate, to guarantee your identity, to protect the data transmission.

Because data is the most valuable asset we have and it is our duty to protect it.

Do I need to protect non-production systems?

My production system is already covered by production systems’ certificates, do I need to protect other systems?

Actually yes.

Every system handling actual data (application’s data-sets, user credentials, authentication tokens) are exposed to possible attacks and malicious access.

 

How difficult is it?

The generation of an SSL certificate with Lets Encrypt is extremely easy and supports multiple platforms and web servers.

I honestly only operate in Linux environments and I cannot judge the complexity on a windows system but, hey, guys, they built an extremely easy tool set.

Using Fedora (I use Fedora 25), the installation of the letsencrypt utility is just a “dnf” away.

sudo dnf install letsencrypt

Once installed, the generation of a certificate is very simple and it requires to publish a check file on your website, containing a special hash code (given during the process)

 letsencrypt --text --email recovery@example.com --domains www.example.com,example.com,foo.example.com --agree-tos --renew-by-default --manual certonly

Once done, all the needed files are stored into the /etc/letencrypt folder structure.

In particular, the full chain, the public, and the private keys are generated (I used the perm format).

Using Redhat systems can be a bit more cumbersome. Checking this guide can help in the process http://www.tecmint.com/install-lets-encrypt-ssl-certificate-to-secure-apache-on-rhel-centos/

 

Some useful links

Electronic Frontier Foundation

Wired – Half the web is now encrypted

Wired – A scheme to encrypt the entire web is actually working

 

Leave a comment