IT Get in touch

Let's Encrypt: the free CA that brought HTTPS everywhere

Let's Encrypt (GA April 2016) by the Internet Security Research Group: free certificate authority, automatic ACME protocol, 90-day certificates, EFF/Mozilla/Cisco backing. The transformation of HTTPS from privilege to web default.

Cyber SecurityOpen SourceWeb
Cyber SecurityOpen SourceWeb Let's EncryptISRGACMEHTTPSTLSCyber SecurityEFFOpen Source
CyberScan

CyberScan

Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.

Discover CyberScan →Cyber Security

Cyber Security

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

HTTPS was a privilege

Until 2015 enabling HTTPS required buying a certificate from a commercial Certificate Authority (DigiCert, Comodo, GlobalSign, Symantec) — typically EUR 50 to 500 annually per single domain, with manual CSR generation, domain ownership validation, installation. For small sites, personal blogs, non-profit portals, cost was disproportionate; result: the majority of the web operated over cleartext HTTP.

After Snowden revelations (June 2013), pressure to generalise HTTPS grows. Mozilla and EFF launch HTTPS Everywhere as a browser extension; Google announces HTTPS as a ranking signal; but an infrastructural piece is missing: a free, automated, accessible CA.

The Internet Security Research Group

In November 2014 the Internet Security Research Group (ISRG) is announced — California non-profit founded by Electronic Frontier Foundation, Mozilla, Cisco, University of Michigan, Akamai. Goal: launching Let’s Encrypt, a next-generation Certificate Authority with stated characteristics:

  • Free certificates for anyone
  • Total automation — no human intervention
  • Short validity (90 days) with automated renewal
  • Transparent audit of the operational process
  • Open source of all software

ACME — Automated Certificate Management Environment

Let’s Encrypt’s technical core is the ACME protocol (Automated Certificate Management Environment), standardised as RFC 8555 in 2019. ACME automates:

  1. Account registration — client generates a key, registers with ACME server
  2. Domain validation — cryptographic challenges to prove domain control:
    • HTTP-01 — client publishes a token file at http://domain/.well-known/acme-challenge/
    • DNS-01 — client publishes a TXT record at _acme-challenge.domain
    • TLS-ALPN-01 — challenge via TLS extension
  3. Certificate issuance — once validated, CA issues a signed certificate
  4. Renewal — the process is repeatable, typically every 60-80 days

The standard is open: anyone can implement an ACME client or server.

The April 2016 GA

Let’s Encrypt entered limited beta in September 2015 and reached General Availability on 12 April 2016. The first operational year:

  • In 2016 Let’s Encrypt issues over 20 million certificates
  • By end 2017 surpasses one hundred million active certificates
  • By 2020: HTTPS exceeds 90% of measured web traffic (Firefox Telemetry)

The HTTPS adoption curve transforms from linear growth (~60% late 2015) to accelerated growth; Let’s Encrypt is acknowledged as a determining factor.

ACME clients

The ACME client ecosystem develops rapidly:

  • Certbot (EFF) — official Python client, the most widespread, with plugins for Apache, Nginx, DNS providers
  • acme.sh — shell script, zero dependencies, wildly popular for minimal configurations
  • lego — Go library + CLI, used by Traefik, Caddy
  • Caddy (web server) — natively integrates ACME, automatic HTTPS
  • dehydrated — Bash, lightweight alternative
  • Integrated modules/plugins in Nginx, HAProxy, cert-manager (Kubernetes)

Client diversity shows protocol health: ACME is truly an open standard, not controlled by Let’s Encrypt.

Voluntary limits

Let’s Encrypt issues only DV (Domain Validation) certificates — not OV (Organization Validation) nor EV (Extended Validation). The choice is explicit: DV suffices to certify transport authenticity (the server speaks for that domain), while OV/EV are niches of debatable value in modern web.

No wildcards until March 2018, when DNS-01 adoption will make wildcard issuance safe for domains with DNS control proof.

Governance and transparency

ISRG regularly publishes:

  • CPS (Certification Practice Statement) — formal operational practice document
  • Annual WebTrust audit to include the root CA in browser trust stores
  • Transparency logs — all Let’s Encrypt certificates are published in Certificate Transparency log (RFC 6962)

The root CA is included in Chrome, Firefox, Edge, Safari trust stores by 2016-2018 (operating first via IdenTrust cross-signed intermediate).

Impact on PA and business

For Italian PA and SMEs, Let’s Encrypt has been a concrete enabler:

  • Public sites can enable HTTPS without dedicated budget
  • Automation eliminates certificate expiry risk (recurrent before 2016)
  • AgID guidelines on public site security integrate ACME as an option
  • Italian hosting providers (Aruba, Register.it, TOPhost, OVH IT) offer native integration

Structural milestones

Let’s Encrypt’s success has consequences beyond ubiquitous HTTPS:

  • Replicable model — ISRG later launches Let’s Encrypt Root ISRG Root X2 (2020, ECDSA) for modern algorithms
  • Model extension to other problems: Divvi Up (distributed private prio), Prossimo — ISRG expands the non-profit model to critical infrastructure
  • Analogous modelsZeroSSL (2018), Buypass (Norway) adopt ACME

References: Let’s Encrypt GA (12 April 2016). Internet Security Research Group (ISRG). ACME RFC 8555 (March 2019). Founding sponsors: EFF, Mozilla, Cisco, Akamai, University of Michigan. Certbot (EFF). Certificate Transparency RFC 6962. Tools: acme.sh, lego, cert-manager.

Need support? Under attack? Service Status
Need support? Under attack? Service Status