Table of Contents
Let's Encrypt SSL certificate
See also SSL / TLS - Let's Encrypt SSL certificate
- Snippet from Wikipedia: Let's Encrypt
Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority, used by more than 300 million websites, with the goal of all websites being secure and using HTTPS. The Internet Security Research Group (ISRG), the provider of the service, is a public benefit organization. Major sponsors include the Electronic Frontier Foundation (EFF), the Mozilla Foundation, OVH, Cisco Systems, Facebook, Google Chrome, Internet Society, AWS, NGINX, and Bill and Melinda Gates Foundation. Other partners include the certificate authority IdenTrust, the University of Michigan (U-M), and the Linux Foundation.
Let's Encrypt is a new Certificate Authority (CA) that offers FREE SSL certificates that are just as secure as paid certificates. This project was pioneered to make encrypted connections the [default standard throughout the Internet.
The 'Let's Encrypt' project is a large step forward for security and privacy on the Internet.
Benefits
Key benefits of using a Let’s Encrypt SSL certificate:
- It's free – Anyone who owns a domain can obtain a trusted certificate for that domain at zero cost.
- It's automatic – The entire enrollment process for certificates occurs painlessly during the native server installation or server configuration process. The certificate renewal occurs automatically in the background.
- It's simple – There's no payment, no validation emails, and certificates renew automatically.
- It's secure – Let’s Encrypt serves as a platform for implementing modern security techniques and security best practices.
Difference between a free Let's Encrypt certificate and a paid Sectigo certificate
There is no difference in the encryption protection these certificates offer. However, 'Let's Encrypt' certificates only provide domain validation (DV) certificates. 'Let's Encrypt' certificates do not support Organizational Validation (OV) certificates. View the following link for further details:
https://letsencrypt.org/docs/faq/
What's the difference?
(DV) certificates can only ensure a secure connection to the website. Anyone with admin rights to the website's panel can add a 'Let's Encrypt' certificate. After adding in the panel, the certificate is added automatically.
(OV) certificates validate everything a (DV) does, while also validating additional organizational information about who is purchasing the certificate such as their Name, City, State, Country. (OV) certificates may require the user to respond to an email with a verification code which must then be entered into Sectigo's website. However this depends on how the DCV process verifies the certificate. View the following article for all steps required:
How do I purchase a professionally-signed SSL certificate?
Should you use a 'Let's Encrypt' or paid Sectigo certificate? If your website is a business that's processing credit cards or transmitting sensitive information (such as an eCommerce site), or has a user login section, you should only use a paid Sectigo certificate. This help your users ensure the connection is valid and secure.
Simple websites that need the same level of encryption without the absolute guarantee of ownership can continue to use a 'Let's Encrypt' certificate.
Although DV and OV certificates offer the same level of encryption as OV certs, DV certificates do not display the actual site name within the certificate, meaning visitors are not able to validate the certificate by viewing it. Additionally, these are potentially vulnerable to phishing attacks. For example, a malicious user could create a similar site with a DV certificate to create a forged copy of your online store. For these reasons, DV certificates are not recommended for eCommerce sites that process payment information.
Forcing your website to load securely (HTTPS)
WordPress sites
View the following article for details on how to force your WordPress site to load only using HTTPS:
How do I use an SSL certificate with WordPress?
DreamPress sites
View the following article for details on how to force your DreamPress site to load only using HTTPS:
Forcing HTTPS with DreamPress
All other websites
You can force your website to load securely using HTTPS using an .htaccess file. View the following article for examples:
Forcing HTTPS with an .htaccess file Rate limits
'Let's Encrypt' has set up rate limitations to help protect their servers. Limits are as follows:
Names/Certificate – Limit on how many domain names you can include in a single certificate. This is currently limited to 100 names, or websites, per certificate issued. Certificates per domain you could run into through repeated re-issuance. This limit measures certificates issued for a given combination of Public Suffix + Domain (a “registered domain”). Registrations/IP address – Limits the number of registrations you can make in a given time period; currently 10 per IP address every 3 hours. This limit should only affect the largest users of Let's Encrypt.
Pending Authorizations/Account – Limits how many times an ACME client can request a domain name be authorized without actually fulfilling on the request itself. This is most commonly encountered when developing ACME clients, and this limit is set to 300. View the following link for further details:
Let's Encrypt Rate Limits
FAQs
How long is the certificate valid?
SSL certificates generated by Let's Encrypt automatically renew every 60 days. This is for two reasons as stated on their blog post:
They limit damage from key compromise and mis-issuance since stolen keys and mis-issued certificates are valid for a shorter period of time.
They encourage automation, which is absolutely essential for ease-of-use. This takes the burden off system administrators to manually handle renewals. Once issuance and renewal are automated, shorter lifetimes won’t be any less convenient than longer ones.
What level of encryption is available?
RSA-signed using 4096-bit RSA keys.
Are wildcard certificates available for use?
No. Although 'Let's Encrypt' offers wildcard certificates, it is currently not possible to use them at DreamHost. If you need SSL certificates on your subdomains, you must enable them individually.
What browsers support Let's Encrypt certs?
Certificates are trusted in all major browsers. View the blog post here:
https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html
See also
Internal links
Adding a free Let's Encrypt certificate
SSL certificates overview
External links
Let's Encrypt official site
Let's Encrypt documentation
Let's Encrypt at Wikipedia
Let's Encrypt and DreamHost (blog post)
Let's Encrypt rate limits