Let's Encrypt is a free, automated, and open certificate authority (CA) run by the Internet Security Research Group (ISRG). It provides X.509 certificates for TLS encryption at no cost, facilitating the global transition from HTTP to secure HTTPS connections.
Technical Implementation
The service utilizes the ACME (Automated Certificate Management Environment) protocol to automate issuance and renewal. A client-side agent, such as certbot, proves domain ownership by completing challenges (HTTP-01 or DNS-01). Once verified, the agent generates a key pair and receives a signed certificate from the CA infrastructure.
- Automation: Certificates are designed to be renewed automatically via shell scripts or server plugins.
- Validity: Each certificate is valid for 90 days to encourage automation and minimize the impact of key compromise.
- Openness: All issuance records are published to Certificate Transparency logs for public auditing.
As of 2024, Let's Encrypt has issued over 3 billion certificates, securing hundreds of millions of websites. While it provides robust Domain Validation (DV), it does not offer Organization Validation (OV) or Extended Validation (EV) certificates, as those require manual identity verification processes.