Ops Engineer Explains Let’s Encrypt’s Automated TLS/SSL Certificate Issuance


Let’s Encrypt is a free, automated and open Certificate Authority issuing digital certificates for website encryption globally. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG), a public benefit organization with a mission to reduce financial, technological, and education barriers to secure communication over the Internet. Let’s Encrypt secures communication for more than 40 million websites.

Jillian Karner, operations engineer at Let’s Encrypt.
In an upcoming presentation at Open Source Summit Japan, Let’s Encrypt technical staff will provide a brief history of the organization’s development and how it has made considered decisions to enable a growing portion of the Web to benefit from the security provided by HTTPS. In this interview, Jillian Karner, operations engineer at Let’s Encrypt expands upon a key differentiator of Let’s Encrypt: its emphasis on automation.

Jillian is a full-time crypto enthusiast with a passion for a free, open, and secure Web.  She has worked for start-ups in the security field since her early college years at Arizona State University maintaining secure infrastructures and developing encrypted endpoint to endpoint applications. She is currently working with Let’s Encrypt and looks forward to a 100% encrypted Web.

Linux.com: Can you give our readers some background on Let’s Encrypt? Why was it developed?

Jillian Karner: Let’s Encrypt is a free, automated, and open source certificate authority. It provides websites and endpoints on the Web a TLS/SSL certificate allowing users to communicate to those sites through an encrypted Web session. By having a web server configured with a TLS/SSL certificate, users can reach a site over the HTTPS protocol and know the endpoint has been authenticated and that the communication is encrypted. Let’s Encrypt also worked to write the ACME spec, currently a work in progress draft through the Internet Engineering Task Force (IETF), which defines an automated method for issuing certificates. The spec will allow other certificate authorities to create their own ACME-based CA systems and allows the community to write clients that use these issuance system.

Let’s Encrypt and the related ACME spec were developed with the goal to help encrypt the entire Web. To achieve that, the project was started with the foundation that it needs to be free to reduce the complexity and make it accessible to everyone. And since certificate authorities rely on being trusted, Let’s Encrypt worked to be as transparent as possible from the get-go. The certificate authority software, Boulder, is open-sourced and all the certificates issued are logged to Certificate Transparency and are auditable.

Linux.com: How does automation play into Let’s Encrypt’s approach?

Karner: Automation is a significant part of the Let’s Encrypt ecosystem both in terms of the certificate issuance protocol and the infrastructure that keeps it running. If you’ve ever attempted to get a certificate before Let’s Encrypt entered the game, you know that every few years or so you had to recall the special commands and steps to issue/renew and deploy a certificate. Even the most proficient System Administrators would not look forward to renewing certificates. But the ACME protocol that the Let’s Encrypt certificate authority is developed on enables automatic issuance and renewal of certificates. It was designed to remove the human element of the process and make getting a certificate more accessible for anyone who needs one.

Our team of system administrators has automated most of the processes for maintaining and running Boulder and the related infrastructure. We’ve worked hard to make sure that the environment is available for users with high uptime by using automated checks, repeatable processes, and configuration management tools.

Linux.com: Where do you see automation making a big difference for your users?

Karner: In the case of Let’s Encrypt it makes all the difference. Acquiring certificates is understood to be a tedious task, but with the help of Let’s Encrypt, the intermediary steps are automated and it only requires setting up one of the many available clients to start the process. Once a cert is issued most clients don’t require any manual work for certificate renewal. Since the work of issuing and renewing is automated, it also enables Let’s Encrypt to offer certificates that are valid for 90 days, which improves security in the certificate ecosystem by preventing a compromised certificate from lasting very long, which is much more effective than techniques like certificate revocation. The automation also trickles down to the end users on the Web and improves security for the user because there will be no lapse in a valid certificate.

Linux.com: What are the greatest challenges you’ve faced in building and maintaining Let’s Encrypt?

Karner: The greatest challenge has been dealing with rapid growth. There are nearly 34 million active certificates issued by Let’s Encrypt, and we’re not even at two years of operations. We’re constantly working to improve our services and our operations that will keep downtime to a minimum. With so many users, including large integrators that rely on the service, we have to frequently evaluate our infrastructure usage and needs to make sure we stay ahead of the growth that we see.

Linux.com: What has been the most interesting or fulfilling aspect of working on Let’s Encrypt?

Karner: Let’s Encrypt has a great mission in wanting to encrypt the entire Web and enable better security for users. It’s incredible to be a part of that mission and watch the change happen. When the project started, Firefox Telemetry data showed that only 39% of all Web sessions were encrypted. Now, that number has surpassed 55% and is continuing to increase. It’s fulfilling that people like my parents who aren’t very technical can browse the Web securely because Websites have an easy, free option to get a cert and provide that for them.

View the full agenda of sessions happening this week at Open Source Summit Japan.