So for a few weeks I have been playing with a great new service that offers free browser trusted certificates but without human intervention.
This service is called Lets Encrypt
So this service is currently in beta so use carefully.
So anyone who has gone through the process of securing a website knows it can be a real pain. The first stage is getting the certificate from a supplier where there are normally some forms you have to complete to prove your identity etc.
Once you have the certificate you then need to install them on the appropriate web server.
The second stage is renewing them which again is normally a manual process. Its surprising how painful this can be as well, especially if you forget to renew 🙂
Lets Encrypt attempts to automate this whole process.
You don’t need to worry about validation emails, no complicated configuration editing or forgetting certificates are about to expire which breaks your site.
Lets Encrypt supplies a number of tools that automate the renewal of their certificates. The certificates have a maximum life of 90 days.
The reason for this is to limit damage if a key is stolen but also to encourage automation. Once setup, Lets Encrypt will allow you keep renewing the certificate, in an automated way, every 90 days.
You cannot extend the life time but you can reduce it, with 60 days being the recommendation.
Here are some example instructions on how to get it going
You can grab a copy from github:
git clone https://github.com/letsencrypt/letsencrypt
You can then install it by running letsenrypt-auto :
2. Using the client
– If you are using Apache under debian , there is a plugin that automates both obtaining and installing the cert:
– Otherwise you can obtain a certificate like this:
./letsencrypt-auto certonly –standalone -d example.com -d www.example.com
3. Renew the certificate
To renew the cert simply run letsencrypt with the same values as in step 2
At the moment its primary for Unix operating systems that include Python 2.6 or 2.8 or 3.x. and most of the testing is around Apache.
So along with Debian I have got this working with OS X Server as well.
So this is a very young but interesting play on certificate renewal.
Personally this is a great win for any test rigs I am currently playing with.
More info can be found Lets Encrypt