All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Free SSL/TLS Certificates Coming (Sept./Nov.) - Let's Encrypt!
The EFF started an initiative to establish a free, automated certificate authority to issue SSL/TLS certificates to all domain owners on request. The project started last year. Testing will begin in less than two weeks, with a plan to open it up for everyone in mid-November. The initiative is called "Let's Encrypt".
The goal is to provide the tools and certificates to make it very easy for webmasters to transition from HTTP to HTTPS by default.
I have seen it mentioned here in other threads. I decided to create a new thread so that everyone would know about it. Here is a recent article:
http://www.zdnet.com/article/securing-the-internet-lets-encrypt/
Here is the original EFF announcement from last year:
https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web
Here is the Let's Encrypt website:
Comments
Old news, post when it actually opens.
I think the question is, will it ever? I am curious as what is holding them back (as I know nothing about the technical difficulties of the venture).
Its coming Nov... so yes...
It's been delayed twice, maybe even more times.
So yes... so yes what??? It was originally going to launch with general availability in September.
Okay. I won't say anything more until it opens to everyone. The initial test trials are 12 days away. (Restricted testing; not open to everyone.)
Those are fair questions. I am reasonably confident that they will achieve their goals. They were initiated by EFF, and supported by much larger entities, such as Akamai, Cisco, and Mozilla. In the past I worked with several of the people who are on the technical advisory board or the ISRG. I can vouch for them personally as being top-notch technical leaders. They are serious about getting it to work. I know as much as you regarding the technical difficulties to overcome. Look at the website, blogs, etc.
The latest schedule notice that I could find, dated 7 August, gives a "first certificate date" of 7 September. Let's see what happens. As I said, I won't post anything more about it until it becomes open and available to the general public, hopefully in November as planned.
testing what exactly? CA is idiotically simple to set up, even with highest security protocols (i.e. keeping the master key offline) - What is their problem? Why delay it all the time?
I believe in it as project once it runs and actually issues certs to the general public - Until then it is nothing more than hot air.
Are they still not going to issue wildcards? I would bet so.
I didn't know they were planning to do wildcards? I thought it's just single (sub)domain.
I'm blind, didn't see the "not".
Exactly, only single domains. Is not like it's a technical limitation...
Pardon me, didn't see the "not". Got me excited for a sec.
Note they expire every 90 days so have to be renewed.
There is also no plan for wildcard support.
Wow indeed. I never knew about the 90 days part. https://ckon.wordpress.com/2015/08/20/free-https-ssl/
Seems pretty useless now.
Also they will somehow check if you have any valid certs from other CAs (and refuse to work if you do):
https://community.letsencrypt.org/t/whats-the-difference-between-letsencrypt-and-traditional-ca/499
Oh well, let's just hope that WoSign won't remove their 3 year free cert offer. https://www.ohling.org/blog/2015/02/wosign-free-2y-ssl-certificate.html
dafuq?
Looks like more like a trial offer to get more people buying into ssl certificates.
Isn't the LetsEncrypt client supposed to automate that though?
Right.
@William said:
Let's Encrypt isn't just a free CA. It's a piece of software for servers that automates most of the certificate process (issuance, installation and configuration, renewals, etc.).
https://letsencrypt.org/howitworks/
Give me like a day and i write you that in bash....
I never planned to use it, perhaps many people didn't either, and now they decided to make using their certs without installing the software next to impractical.
And even if it's automated, I don't see the point to risk totally screwing up access to my sites and services once every 90 days (if something goes wrong during the update).
The code's all on GitHub. If you think you can do better than them, get involved.
https://github.com/letsencrypt/letsencrypt
The 90 days part is... ridiculous, as is checking if there is an existing certificate from a different CA. But well, this bullshit was to be expected from the EFF.
All it lists under "Current features" is simple to implement - It makes no sense that they delay it because of coding reasons.
I am not sure why the delay, but this is aimed to be a fool-proof method, so any dim will be able to follow a copy-paste tutorial.
It is nt aimed at geeks not to mention professionals, I know LOTS of people which have no idea how certificates work and never try to bother.
I repeat, this is not a scheme to produce free certificates, there are already some, but one to produce ones that are renewed often and automatically for the non-technical people which try to host their own stuff securely. This will undoubtedly extend to VPNs and other usages.
It is next to impossible to explain this to everyone, but they will wrap it under some "app" and many pwople will be able to set those and communicate securely, hopefully.
watch Seth's video at https://community.letsencrypt.org/t/seth-schoen-lets-encrypt-presentation-youtube/502 he addresses the delay issue and it's majority in part due to the sheer amount of paper work and documentation involved for CA compliance etc etc.
Are there any real explanation for the 90 days thing? Not like "My head was itching so I made these certs valid for 90 days.".
Why not 90 days? It's probably a good thing to rotate automatically generated private keys. This can also be used for a kind of poor man's forward security.
I didn't know perfect forward secrecy costs money.
Reading through some of the links above brought me to another question/answer that indicates they'll support SAN from day 1. Since they aren't supporting wildcard right away I assumed they wouldn't be supporting SAN either, but apparently they are!
https://community.letsencrypt.org/t/san-certificates/100/11
https://community.letsencrypt.org/t/will-this-service-supply-ucc-certificates/105
It does if you are running some stable/old web server or if you need to support older browsers.
Yes, and it's so bizarre, it's almost unbelievable.
https://community.letsencrypt.org/t/maximum-and-minimum-certificate-lifetimes/264/12
So in case you were sometimes forgetting to renew your cert once a year, they are now giving you an opportunity to be forgetting to do that much more often. And besides, renewing once every few years was too easy, let's make renewing certs into an important monthly process you have to keep in your reminder, or maybe hire a staff member to take care specifically of that.