IT Get in touch

Let's Encrypt: the free CA that brought HTTPS everywhere

Let's Encrypt (GA April 2016) by the Internet Security Research Group: free certificate authority, automatic ACME protocol, 90-day certificates, EFF/Mozilla/Cisco backing. The transformation of HTTPS from privilege to web default.

CybersecurityOpen SourceWeb
CybersecurityOpen SourceWeb Let's EncryptISRGACMEHTTPSTLSCybersecurityEFFOpen Source
CyberScan

CyberScan

Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.

Discover CyberScan → Cybersecurity

Cybersecurity

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

HTTPS was a privilege

Until 2015 enabling HTTPS required buying a certificate from a commercial Certificate Authority (DigiCert, Comodo, GlobalSign, Symantec) — typically EUR 50 to 500 annually per single domain, with manual CSR generation, domain ownership validation, installation. For small sites, personal blogs, non-profit portals, cost was disproportionate; result: the majority of the web operated over cleartext HTTP.

After Snowden revelations (June 2013), pressure to generalise HTTPS grows. Mozilla and EFF launch HTTPS Everywhere as a browser extension; Google announces HTTPS as a ranking signal; but an infrastructural piece is missing: a free, automated, accessible CA.

The Internet Security Research Group

In November 2014 the Internet Security Research Group (ISRG) is announced — California non-profit founded by Electronic Frontier Foundation, Mozilla, Cisco, University of Michigan, Akamai. Goal: launching Let’s Encrypt, a next-generation Certificate Authority with stated characteristics:

  • Free certificates for anyone
  • Total automation — no human intervention
  • Short validity (90 days) with automated renewal
  • Transparent audit of the operational process
  • Open Source of all software

ACME — Automated Certificate Management Environment

Let’s Encrypt’s technical core is the ACME protocol (Automated Certificate Management Environment), under IETF standardisation. ACME automates:

  1. Account registration — client generates a key, registers with ACME server
  2. Domain validation — cryptographic challenges to prove domain control:
    • HTTP-01 — client publishes a token file at http://domain/.well-known/acme-challenge/
    • DNS-01 — client publishes a TXT record at _acme-challenge.domain
    • TLS-ALPN-01 — challenge via TLS extension
  3. Certificate issuance — once validated, CA issues a signed certificate
  4. Renewal — the process is repeatable, typically every 60-80 days

The standard is open: anyone can implement an ACME client or server.

The April 2016 GA

Let’s Encrypt entered limited beta in September 2015 and reached General Availability on 12 April 2016. The first operational year:

  • In 2016 Let’s Encrypt issues over 20 million certificates

The HTTPS adoption curve is transforming from linear growth (~60% late 2015) to accelerated growth; Let’s Encrypt is acknowledged as a determining factor.

ACME clients

The ACME client ecosystem develops rapidly:

  • Certbot (EFF) — official Python client, the most widespread, with plugins for Apache, Nginx, DNS providers
  • acme.sh — shell script, zero dependencies, wildly popular for minimal configurations
  • lego — Go library + CLI, used by Traefik, Caddy
  • Caddy (web server) — natively integrates ACME, automatic HTTPS
  • dehydrated — Bash, lightweight alternative
  • Integrated modules/plugins in Nginx, HAProxy, cert-manager (Kubernetes)

Client diversity shows protocol health: ACME is truly an open standard, not controlled by Let’s Encrypt.

Voluntary limits

Let’s Encrypt issues only DV (Domain Validation) certificates — not OV (Organization Validation) nor EV (Extended Validation). The choice is explicit: DV suffices to certify transport authenticity (the server speaks for that domain), while OV/EV are niches of debatable value in modern web.

As of 2016 Let’s Encrypt does not issue wildcard certificates: expansion depends on the maturation of the DNS-01 challenge.

Governance and transparency

ISRG regularly publishes:

  • CPS (Certification Practice Statement) — formal operational practice document
  • Annual WebTrust audit to include the root CA in browser trust stores
  • Transparency logs — all Let’s Encrypt certificates are published in Certificate Transparency log (RFC 6962)

The root CA operates in trust stores via an IdenTrust cross-signed intermediate, pending direct inclusion in browsers.

Impact on PA and business

For Italian PA and SMEs, Let’s Encrypt has been a concrete enabler:

  • Public sites can enable HTTPS without dedicated budget
  • Automation eliminates certificate expiry risk (recurrent before 2016)
  • AgID guidelines on public site security integrate ACME as an option
  • Italian hosting providers (Aruba, Register.it, TOPhost, OVH IT) offer native integration

Structural milestones

Let’s Encrypt’s success is bound to have consequences beyond ubiquitous HTTPS, with the non-profit model replicable to other critical infrastructure.

References: Let’s Encrypt GA (12 April 2016). Internet Security Research Group (ISRG). Founding sponsors: EFF, Mozilla, Cisco, Akamai, University of Michigan. Certbot (EFF). Certificate Transparency RFC 6962. Tools: acme.sh, lego.

Need support? Under attack? Service Status
Need support? Under attack? Service Status