Let's Encrypt: The FSF beta tests a new Certificate Authority
Recently the FSF's application to Let's Encrypt's Limited Beta program was accepted. For those of you who have not been following, the project Let's Encrypt is a non-profit Certificate Authority (CA) run by the Internet Security Research Group (ISRG). The IRSG, founded in 2013, is comprised of board members from various places, including but not limited to: The Electronic Frontier Foundation (EFF), and Mozilla. The main drive behind Let's Encrypt is to make the process of getting X.509 certificates for Transport Layer Security (TLS) encryption a trivial process, as well as cost-free. In addition, Let's Encrypt aims to make all this available using only Free as in Freedom software for both their server and client infrastructure. By doing this, the Let's Encrypt project hopes to make HTTPS (encrypted web traffic) the default state of the entire Internet. For further reading on the goals and mission statement of the Let's Encrypt CA, check out https://letsencrypt.org/about.
As part of the the Limited Beta program we have been granted the ability to generate certificates. This is done using the Let's Encrypt client software, which uses their API to generate and sign certificates for several of our most used domains. Using the Let's Encrypt client software makes deploying certificates almost effortless. The current procedure is fairly straight forward: Clone the git repository, run the client, allow it to grab packages it requires, and then step though a fairly pretty curses interface that takes your email address and the domain of the certificate you are trying to generate and have signed. This process, however, does require minimal downtime as the Let's Encrypt access requires the ports the web server uses to complete the API transaction. In practice this only took a minute or so of downtime to complete.
As part of our participation in the Limited Beta program, an example of the Let's Encrypt CA service can already be found on our network. Currently, we have migrated https://libreplanet.org to Let's Encrypt. The fingerprints for our new certificate, signed by Let's Encrypt, are as follows:
- SHA1: D0:48:06:70:21:7B:70:09:D0:5C:17:22:B1:C8:E9:40:EA:BA:AF:29
- SHA-256: 6B:0A:B6:4A:1A:7D:30:5C:1D:3C:A7:12:95:06:DC:F1:AA:48:7B:33:C2:81:C8:46:4E:97:1D:91:18:74:3A:98
Overall we are very excited to participate in the Let's Encrypt project. If generating X.509 certificates can be so effortless, in my opinion the end goal of a World Wide Web that defaults to HTTPS instead of HTTP is achievable. The public beta for Let's Encrypt is scheduled to go live December 3rd, 2015. I encourage any reader who runs a web server to give the Let's Encrypt CA a serious look.