Let's Encrypt

The mission of the organization is to create a more secure and privacy-respecting World Wide Web by promoting the widespread adoption of HTTPS. Let's Encrypt certificates are valid for 90 days by default, during which renewal can take place at any time. Optionally, certificates can be issued which are valid for 45 days (tlsserver profile) and 6 days (shortlived profile). This is handled by an automated process designed to overcome manual creation, validation, signing, installation, and renewal of certificates for secure websites. By eliminating payment, web server configuration, validation email management and certificate renewal tasks, it is meant to significantly lower the complexity of setting up and maintaining TLS encryption. The domain validation (DV) utilized by Let's Encrypt dates back to 2002 and was at first controversial when introduced by GeoTrust before becoming a widely accepted method for the issuance of SSL certificates. By being as transparent as possible, the organization hopes to both protect its own trustworthiness and guard against attacks and manipulation attempts. For that purpose it regularly publishes transparency reports, publicly logs all ACME transactions (e.g. by using Certificate Transparency), and uses open standards and free software as much as possible. == History ==

The Let's Encrypt project was started in 2012 by two Mozilla employees, Josh Aas and Eric Rescorla, together with Peter Eckersley at the Electronic Frontier Foundation and J. Alex Halderman at the University of Michigan. Internet Security Research Group, the company behind Let's Encrypt, was incorporated in May 2013. to April 12, 2016. It launched on April 12, 2016. Through working with software vendors and contacting site operators, Let's Encrypt was able to get 1.7 million of the affected certificates renewed before the deadline. They ultimately decided not to revoke the remaining affected certificates, as the security risk was low and the certificates were to expire within the next 90 days. The mass-revocation event has significantly increased the global revocation rate. In March 2020, Let's Encrypt was awarded the Free Software Foundation's annual Award for Projects of Social Benefit. On February 27, 2020, Let's Encrypt announced having issued a billion certificates. In April 2022, Let's Encrypt was awarded the Levchin Prize for “fundamental improvements to the certificate ecosystem that provide free certificates for all”. As of 2025, Let's Encrypt serves more than 700 million websites worldwide, making it the largest certificate authority in the world. In January 2025, Let's Encrypt announced the retirement of its free email expiry notifications and recommended Red Sift Certificates Lite as its certificate monitoring service. == Technology ==

Chain of trust ISRG Root X1 (RSA) In June 2015, Let's Encrypt announced the generation of their first RSA root certificate, ISRG Root X1. The root certificate was used to sign two intermediate certificates, ACME protocol The challenge–response protocol used to automate enrolling with the certificate authority is called Automatic Certificate Management Environment (ACME). It can query either Web servers or DNS servers controlled by the domain covered by the certificate to be issued. Based on whether the resulting responses match the expectations, control of the enrollee over the domain is assured (domain validation). The ACME client software can set up a dedicated TLS server that gets queried by the ACME certificate authority server with requests using Server Name Indication (Domain Validation using Server Name Indication, DVSNI), or it can use hooks to publish responses to existing Web and DNS servers. The validation processes are run multiple times over separate network paths. Checking whether DNS entries are provisioned is done from multiple geographically diverse locations to make DNS spoofing attacks harder to carry out. ACME interactions are based on exchanging JSON documents over HTTPS connections. Prior to the completion and publication of RFC 8555, Let's Encrypt implemented a pre-standard draft of the ACME protocol. RFC 8555 introduced breaking changes and as such it has been dubbed ACMEv2. Let's Encrypt implemented the new version and started pushing existing clients into upgrades. The nudging was implemented with intermittent down-times of the ACMEv1 API. The end-of-lifetime was announced with dates and phases in "End of Life Plan for ACMEv1". Since November 8, 2019, ACMEv1 no longer accepts new account registrations. Since June 2020, ACMEv1 stopped accepting new domain validations. From January 2021, ACMEv1 underwent 24-hour brownouts. The ACMEv1 API was turned off completely on June 1, 2021. Software implementation The certificate authority consists of a piece of software called Boulder, written in Go, that implements the server side of the ACME protocol. It is published as free software with source code under the terms of version 2 of the Mozilla Public License (MPL). Initially, Let's Encrypt developed its own ACME client – Certbot – as an official implementation. This has been transferred to Electronic Frontier Foundation and its name "letsencrypt" has been changed to "certbot". There is a large selection of ACME clients and projects for a number of environments developed by the community. == See also ==