Let’s Encrypt: A Free, Automated and Open Certificate Authority
Enterprises need high-level security to operate their critical applications. One of security technology that can be implemented is certificate-based security using Public Key Infrastructure (PKI). PKI is defined as a system involving digital certificates, certification authorities (CAs), and other registration authorities (RAs) that verify and authenticate the validity of certificate from each party involved in an electronic transaction (Papazoglou & Ribbers 2006, p. 376). PKI has ability to provide high level security on various systems including e-Business applications, online trading and banking and web service-based business process automation. A number of authentication and encryption technology are involved in the security mechanism based-on PKI. There are some problems in the implementation of digital certificate. According to Eckersley’s weblog post on Electronic Frontier Foundation’s website (2014), the biggest obstacle to Hypertext Transport Protocol Secure (HTTPS) deployment has been the complexity, bureaucracy, and cost of the certificate that HTTPS requires. In order to promote the wide use of security on the internet, HTTPS technology, which utilizes digital certificate, needs to be more ubiquitous, uncomplicated in setting and can handle the renewal process of the certificate. In 2015, Electronic Frontier Foundation released Let’s Encrypt, which automates the certificate management on servers and provides simple tools to manage HTTPS. Let’s Encrypt do not need email validation and complex configuration. Furthermore, it automatically manages the renewal process to avoid the problem on the website due to certificate expiration. In addition, customers do not need to arrange payment because all of the certificates provided by Let’s Encrypt are free of charge. This report describes the design of the most common certificate management functions using the Let’s Encrypt and its current implementation.
2. Let’s Encrypt Design
Let’s Encrypt aims to automatically configure an HTTPS server with trusted certificate without human intervention (Internet Security Research Group 2016). This is done by executing an open source certificate management agent on each of the web application servers. There are two basic steps for this process. First, the agent has to prove to the Let’s Encrypt CA that the web server has the capability to control a domain. The next step is requesting, renewing, and revoking certificates for that domain.
At the first time when communicating with Let’s Encrypt, the agent creates a new key pair and proves to the Let’s Encrypt CA that the server has an ability to control one or more domains. The certificate management software agent then asks the Let’s Encrypt CA the procedure needed to be accomplished to prove that it controls a domain name, in this illustration, example.com. The Let’s Encrypt CA will examine the domain name and provide one or more sets of challenges for the agent. The CA might provide a choice of provisioning either a Domain Name System (DNS) record under example.com or an HTTP resource under a well-known Uniform Resource Identifier (URI) on https://example.com/. The Let’s Encrypt CA also provides a unique code that has to be signed with the agent’s private key to prove that the key pairs are under the agent’s control. The illustration of this process is shown in the figure below.
When the agent software accomplishes one of the challenges, for example by creating a file on a specified address on the https://example.com site, the agent then signs the provided unique code with its private key. After these steps, the agent sends a notification to the Let’s Encrypt CA that it is ready to complete the validation process. If the CA found that the signature is valid and the challenges are completed, the agent which is identified by its public key will be authorized to process the certificate management for example.com.
After the agent has an authorized key pair, it can request a digital certificate. The agent can obtain the digital certificate for the domain by constructing a Certificate Signing Request (CSR) which includes a signature by the private key corresponding to the public key in it. This CSR asks the Let’s Encrypt CA to issue a certificate for example.com. Also, the agent signs the whole CSR using the authorized key for example.com so that the CA understands that it is authorized. When the CA receives this CSR, it verifies all of the signatures. Finally, if everything is valid, the CA will issue a digital certificate for example.com with the public key derived from the CSR and returns it to the agent.
3. Let’s Encrypt Implementation
Let’s Encrypt has issued its millionth certificate by March 2016 (Aas 2016). Its first million certificates are helping to secure approximately 2.4 million domains. Currently, it is growing at the rate of more than 100,000 certificates per week. This rapid growth is due to high demand for an easy-to-use, free, widely trusted, and universal solution for digital certificate management. Let’s Encrypt also received a significant endorsement from major companies such as Mozilla, Akamai, Cisco, and Electronic Frontier Foundation. Its implementation on hosting companies helps many sites including e-Business websites implement HTTPS with Let’s Encrypt.
Web access security is an important aspect of e-business solutions. One of the internet protocols widely used to secure communication between clients and web-based application servers is HTTPS. Unfortunately, the majority of websites do not implement HTTPS due to the technical complexity and high cost of obtaining a digital certificate. To improve the number of HTTPS implementation, Internet Security Research Group developed Let’s Encrypt, a free, automated and open Certificate Authority (CA). There are two steps for managing digital certificates from Let’s Encrypt. The agent proves that it has the control of a domain, and then it requests, renews, and revokes certificates for that domain. Since its first launch in 2015, more than 2 million domains, from personal to business, have been using digital certificates from Let’s Encrypt. This emerging technology provides advantages for better e-business security over the internet.
Aas, J 2016, Our Millionth Certificate, Let’s Encrypt - Free SSL/TLS Certificates, weblog post, 8 March 2016, viewed 1 April 2016, https://letsencrypt.org/2016/03/08/ourmillionth-cert.html.
Eckersley, P 2014, Launching in 2015: A Certificate Authority to Encrypt the Entire Web, Electronic Frontier Foundation, weblog post, 18 November 2014, viewed 1 April 2016, https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entireweb.
Getting Started - Let’s Encrypt - Free SSL/TLS Certificates 2016 Internet Security Research Group, viewed 1 April 2016, https://letsencrypt.org/getting-started/.
How It Works - Let’s Encrypt - Free SSL/TLS Certificates 2016, Internet Security Research Group, viewed 1 April 2016, https://letsencrypt.org/how-it-works/.
Papazoglou, M & Ribbers, P 2006, E-business: organizational and technical foundations, Chichester, England, John Wiley.