Jump to content

Let’s Encrypt

Let’s Encrypt is a free, automated, and open Certification Authority operated by the nonprofit Internet Security Research Group (ISRG).[1] It issues publicly-trusted TLS certificates primarily through automated Domain Validation workflows using the Automatic Certificate Management Environment (ACME) protocol. In practice, this significantly lowers the cost and friction of deploying HTTPS at scale, making security on the Web easier to enforce.[2][3]

From an Internet governance perspective, Let’s Encrypt is best understood as a major “baseline-shifter” in the Web PKI: it expanded encrypted-by-default deployment capacity for small and medium operators while remaining subject to the same root program oversight and CA ecosystem rules as other publicly-trusted CAs (notably CA/Browser Forum Baseline Requirements and related root store policies).[4]

Automation and ACME[edit | edit source]

Let’s Encrypt’s model is built around ACME, an IETF standard that enables automated certificate issuance, renewal, and revocation by proving control over a domain name via standardized challenges (e.g., HTTP-01, DNS-01).[3][2] This automation-first design encourages short certificate lifetimes and routine renewal, with guidance to renew default 90-day certificates on a roughly 60-day cadence.[5]

Trust anchors and operational milestones[edit | edit source]

Let’s Encrypt’s trust is anchored in the Web PKI through distribution of its root certificate (ISRG Root X1) via major browser/OS root programs, a prerequisite for broad interoperability at Internet scale.[6]

A widely cited ecosystem event was the expiration of the IdenTrust DST Root CA X3 certificate on September 30, 2021, which exposed long-tail device and trust-store lag risks and highlighted the governance relevance of root distribution choices and compatibility trade-offs.[7]

Web PKI governance touchpoints[edit | edit source]

Although free and high-volume, Let’s Encrypt remains constrained by the same “private governance” framework that shapes the public CA ecosystem, including CA/Browser Forum Baseline Requirements and root program compliance expectations.[4]

Two governance-relevant intersections with naming infrastructure are:

  • Certification Authority Authorization (CAA): DNS records allowing domain holders to restrict which CAs may issue certificates for their domains; Let’s Encrypt documents CAA support and ties it to RFC 8659 processing rules.[8][9]
  • Rate limits: operational controls that manage abuse and stability but also function as “soft policy” by shaping how quickly large-scale issuance/rotation can occur in practice.[10]

Let’s Encrypt also participates in and operates infrastructure related to Certificate Transparency (CT), supporting the broader accountability regime that makes publicly-trusted certificate issuance more observable and monitorable across the ecosystem.[11]

Lifecycle direction[edit | edit source]

Let’s Encrypt has published plans to reduce certificate validity periods over time, including a roadmap to reduce default lifetimes from 90 days to 45 days by 2028 (with intermediate steps).[12] Shorter lifetimes increase dependence on reliable automation and can amplify the operational impact of outages or misconfigurations, making certificate management practices and platform resilience governance-relevant for critical services.

In parallel, Let’s Encrypt announced a transition away from OCSP toward CRL-based revocation information distribution, including a timeline for dropping OCSP URLs and turning off OCSP responders in 2025.[13]

See also[edit | edit source]

References[edit | edit source]

  1. Let’s Encrypt Documentation Retrieved January 9, 2026
  2. 2.0 2.1 How Let’s Encrypt Works Retrieved January 9, 2026
  3. 3.0 3.1 RFC 8555: Automatic Certificate Management Environment (ACME) Retrieved January 9, 2026
  4. 4.0 4.1 CA/Browser Forum Baseline Requirements – Documents Retrieved January 9, 2026
  5. Let’s Encrypt FAQ Retrieved January 9, 2026
  6. Let’s Encrypt Root Trusted By All Major Root Programs Retrieved January 9, 2026
  7. DST Root CA X3 Expiration (September 2021) Retrieved January 9, 2026
  8. Certificate Authority Authorization (CAA) Retrieved January 9, 2026
  9. RFC 8659: DNS Certification Authority Authorization (CAA) Resource Record Retrieved January 9, 2026
  10. Rate Limits Retrieved January 9, 2026
  11. Certificate Transparency (CT) Logs Retrieved January 9, 2026
  12. Decreasing Certificate Lifetimes to 45 Days Retrieved January 9, 2026
  13. Ending OCSP Support in 2025 Retrieved January 9, 2026

Allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery (RFC 8446).

HTTP over Transport Layer Security (TLS), distinguishing secured traffic from insecure traffic by the use of a different server port (RFC 2818).

Hypertext Transfer Protocol. Application-level protocol for distributed, collaborative, hypermedia information systems (RFC 2616).

X.509 Public Key Infrastructure for the Internet (RFC 5280).

Request For Comments. Archival series dedicated to documenting Internet technical specifications, including general contributions from the Internet research and engineering community as well as standards documents (RFC Editor Model, Version 3).

Retrieved from "https://icannwiki.org/index.php?title=Let’s_Encrypt&oldid=1398835"
Semantic properties for "Let’s Encrypt"
RDF feed