I gave a talk recently at Ottawa Cocoaheads on Let’s Encrypt, a new certificate authority that just came out of “beta”. I’ve used this service to secure two web sites that I run with great success. I have high hopes that Let’s Encrypt is an important part of a more democratic, secure web.
I’ve run SSL/TLS web sites for a long time now, and the process today hasn’t changed much in the last many years, aside from certification authorities doing less checking on certificate holders but continuing to charge high prices for certificates. I’m excited that Let’s Encrypt is a departure from the tedious history of certificate authorities, with an open and transparent process, open standards and open source software.
Here are the slides (PDF) for my talk. Although I present a sample configuration and commands that I used to set up this blog’s SSL certificate, these will get out of date very fast I’m sure. I highly recommend you review the Let’s Encrypt Getting Started page instead to make sure you get up to date instructions. Their client software and plugins are just getting started and I’m sure more and better automation tools will be available soon.
Your certificate is only one part of configuring a secure web service (or other secure service like email, SSH, etc..) Make sure you follow best practices for your server software and test your configuration.
- Qualys SSL Labs site tester – very useful for testing your SSL site configuration for common flaws, security issues and cetficiate validity
- Apache SSL guide
- Nginx SSL guide
- Comparison of ACME client software – for alternate client software options
- Let’s Encrypt Community support and FAQ
- ACME standard – this is an in-progress draft standard as I’m writing this