Free Digital Certificates
About SSL Certificates
SSL certificates are a form of digital certificate that are typically used to securely encrypt sensitive information such as payment credentials and personal contact details. You'll recognise this when you see the familiar padlock in the address bar of your browser.
For website owners wanting to protect their website, SSL has been an expensive and time consuming option, typically costing between $50-$250 per year plus additional installation costs.
TLS - The New Standard
Not only has SSL certificate issuing been an expensive pain, SSL is an outdated technology that has been proven insecure by the recent "POODLE" vulnerability. As a result the more secure Transport Layer Security (TLS) is the new successor for providing secure communications.
Let's Encrypt - Free Certificate Authority and More
That may be all about to change when a new initiative called "Let's Encrypt" lands in late 2015.
Let's Encrypt is a new certificate authority sponsored by Mozilla, Cisco the EFF foundation and others. It aims to provide free, automatic and secure issuing of a TLS digital certificate for anyone on the web.
Special software will need to be installed on web servers which will handle the entire process for setting up a domain certificate and updating the web server configuration. This means free and almost instant deployment of digital certificates for anyone.
Let's encrypt certificates will be trusted by all the major browsers as it will be cross-signed by the widely trusted IdenTrust CA while their own root CA continues to proagate.
How "Let's Encrypt" Works
- The Let's Encrypt agent software is installed on a web server - the software automates the process of requesting, validating and deploying certificates.
- Using the agent software, the hosting provider requests to manage certificates for a domain (eg. example.com).
- The Let's Encrypt Certificate Authority (CA) asks the agent to perform some verification such as creating a file accessible from the domain https://example.com/xxxx or by provisioning a DNS record.
- The agent does what it can to satisfy this requirement, and once this verification is complete, the CA will authorise the agent to manage certificates for that domain.
Now issuing a certificate is as simple of running a command, which will even manage the TLS configuration in Apache/Nginx.
For a more technical overview see: https://letsencrypt.org/howitworks/technology/
Benefits for Website Owners
As a website owner, securing your website in the future may no longer be a costly operation.
If your hosting provider supports "Let's Encrypt" you would tell your hosting provider that you want certificate for your domain, and they well be able to generate and deploy a free digital certificate in a matter of minutes.
Let's Encrypt Installation (for Providers)
If you're a hosting provider or developer interested in testing Let's Encrypt prior to official release then see below.
Although not officially released, you can already download the letsencrypt client software which is a Python application capable of requesting, validating and automatically updating Apache/Nginx configuration. The client can be downloaded from GitHub.
All of the hosting servers at i4U run Debian Linux, so I'm providing some instructions on how to get this up and running. It may be similar for other distributions.
Grab the source code:
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt
Install the agent:
Run the Debian bootstrap to fetch some required packages for compiling the Python client:
sudo ./bootstrap/debian.sh
Build the client
virtualenv --no-site-packages -p python venv ./venv/bin/pip install -r requirements.txt acme/ . letsencrypt-apache/ letsencrypt-nginx/
Request a certificate for a domain:
./venv/bin/letsencrypt auth
(Starts an interactive screen)