Overview#

Let’s Encrypt is a free, automated, and open Certificate Authority (CA), run for the public’s benefit provided by the Internet Security Research Group (ISRG).

Lets encrypt runs Boulder

The key principles behind Let’s Encrypt are:

• Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
• Automatic Certificate Management Environment (ACME): Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of Certificate Renewal.
• Secure: will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
• Certificate Transparency: All certificates issued or Revoked Certificate will be in the Public Domain recorded and available for anyone to inspect.
• Open: The automatic issuance and renewal protocol will be published as an Open Standard that others can adopt.
• Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

Why ninety-day lifetimes for certificates?[2]#

Nov 9, 2015 Josh Aas, ISRG Executive Director

We’re sometimes asked why we only offer certificates with ninety-day lifetimes. People who ask this are usually concerned that ninety days is too short and wish we would offer certificates lasting a year or more, like some other CAs do.

Ninety days is nothing new on the Web. According to Firefox Telemetry, 29% of TLS transactions use ninety-day certificates. That’s more than any other lifetime. From our perspective, there are two primary advantages to such short certificate lifetimes:

• They limit damage from key compromise and mis-issuance. Stolen keys and mis-issued certificates are valid for a shorter period of time.
• They encourage automation, which is absolutely essential for ease-of-use. If we’re going to move the entire Web to HTTPS, we can’t continue to expect system administrators to manually handle renewals. Once issuance and renewal are automated, shorter lifetimes won’t be any less convenience than longer ones.

For these reasons, we do not offer certificates with lifetimes longer than ninety days. We realize that our service is young, and that automation is new to many subscribers, so we chose a lifetime that allows plenty of time for manual renewal if necessary. We recommend that subscribers renew every sixty days. Once automated renewal tools are widely deployed and working well, we may consider even shorter lifetimes.

More Information#

There might be more information for this subject on one of the following:

• Automatic Certificate Management Environment
• Boulder
• Certbot
• Domain Validated Certificate

---

• [#1] - Let’s Encrypt - based on information obtained 2015-11-29
• [#2] - Why ninety-day lifetimes for certificates? - based on information obtained 2015-11-29