Let's Encrypt updates certificate automation, adds splats

ACME v2 and Wildcard Certificates now live

Let's Encrypt has updated its certificate automation support and added Wildcard Certificates to its system.

Certificate automation replaces what are otherwise manual and ad hoc mechanisms to apply for an X.509 certificate, and for the applicant's admins to prove they manage the domain in the certificate.

ACME is the automation standard Let's Encrypt first wrote. It's described here (the proposed version is in its tenth edit).

Written with input from Let's Encrypt, Cisco, the EFF and the University of Michigan, the ACME v2 document says the manual certificate application process looks like this:

  • Create the certificate signing request (CSR) and paste it into a certificate authority's (CA's) Web page;
  • Prove domain ownership by answering a challenge from the CA (either on its Web page, in a DNS record, or via e-mail to an admin at the CA); and
  • Download and install the certificate.

ACME is designed to get rid of the “out-of-band” human interaction in the process, so that getting a CA-provided certificate is “nearly as easy to deploy … as with a self-signed certificate”, the standard says.

FREE wildcard HTTPS certs from Let's Encrypt for every Reg reader*


It uses JSON messages over HTTPS to carry the certificate action requests. Once a user has registered an ACME account, there are four steps to get a certificate: submit the order, prove you control the domain (the standard supports a number of challenge-response formats for this), submit a CSR, and download the issued certificate.

To use ACME for certificate automation, you need a compatible client. As well as Let's Encrypt's recommended Certbot, there's a list of another 70-plus clients plus libraries for nine languages here.

The automated process is rate-limited under existing Let's Encrypt rules, with an additional constraint. Applicants using the organisation's ACME v2 endpoint are throttled to 300 new orders per three hours.

Josh Aas of the Internet Security Research Group announced the feature here, and noted that ACME support is needed for the second Let's Encrypt feature announcement, Wildcard Certificates, which were expected in January.

For non-CA experts: Wildcard Certificates apply one certificate to multiple subdomains under a master domain. That way, if you needed to secure blogs.foo.com, images.foo.com, news.foo.com and www.foo.com with HTTPS, you can use a single certificate for all of them.

The DNS-01 challenge format secures wildcard applications, meaning admins will have to edit a DNS record to prove they have the right to request the certificate.

As this post explained, the ACME v2 RFC is still undergoing edits: “We intend to make our v2 endpoint implement the final ACME RFC, so there may be some further small changes, which we will pre-announce in the same API Announcements category as this post. We aim to keep these changes to a minimum”. ®

Similar topics

Broader topics

Other stories you might like

  • Telegram adds paid tier as it cracks 700 million users
    Without so much as a mention of encryption, but with a pastel-hued emoji-heavy nod to ‘sustainable monetization’

    Messaging app Telegram, which came to prominence for offering end-to-end encryption that irritated governments, has celebrated passing 700 million active monthly users with a pastel-hued announcement: a paid Premium tier of service.

    A Sunday post celebrates the 700 million user milestone by announcing a $4.99/month tier. The Premium tier distinguishes itself from the freebie plebeian tier with the ability to upload 4GB files, unthrottled downloads that come as fast as users' carriers will allow, and the chance to follow up to 1000 channels, create up to 20 chat folders each containing up to 200 chats, and to run four accounts in the Telegram app.

    Paying punters will also get exclusive stickers and reactions and won't see ads once they sign up to hand over coin each month.

    Continue reading
  • Protecting data now as the quantum era approaches
    Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering

    Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.

    It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.

    A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading

Biting the hand that feeds IT © 1998–2022