“HTTPS everywhere” is happening and that is why KeyCDN recently became a sponsor of Let’s Encrypt, a free, automated, and open certificate authority. We have been working very hard behind the scenes and are happy to announce, as of December 2015, that we offer an integration with Let’s Encrypt that is available to all KeyCDN customers!
What Does This Mean for You?
KeyCDN is excited to be one of the first providers around the globe to offer this integration. For KeyCDN customers, this means no more buying an SSL certificate if you want to use a custom zonealias! That’s right, you can now deploy your
https://cdn.domain.com for free. You will still need to purchase an SSL certificate for your web host, but we’ve now got you covered our end. Web hosts such as Cyon have already added integrations with Let’s Encrypt and as time goes on you can expect to see more pick it up. Or you can deploy it on your server yourself by following the Let’s Encrypt installation guide.
For companies with Let’s Encrypt integration, this makes the deployment for the end user much easier. There is no more generating a CSR, saving your private key, uploading your certificate and all the back and forth emails. For most deployments, it will now be a simple one-click process.
Also, you have probably noticed we keep referring to them as SSL certificates. Technically they are Transport Layer Security (TLS) certificates. Secure Sockets Layer (SSL) is actually the predecessor to TLS, but they are both frequently referred to as SSL.
Besides the performance benefits of HTTP/2, there are also some advantages when using a custom zonealias (URL) vs shared SSL.
- If you use the custom URL you can use the sitemap method to view indexed images data. If you use the shared SSL zone URL, you will not be able to view this data. You could still use the URL search operator.
- You have full control over it and can switch CDN providers more easily while retaining the same URLs.
- The domain name will contain keywords relevant to your site. This can make for better branding, as people will see your URLs.
Back in 2012, Josh Aas and Eric Rescorla, two Mozilla employees; felt the need to increase the rate of SSL/TLS deployment and decided to create a new free certificate authority (CA). This eventually turned into the organization Let’s Encrypt. It is built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process. Let’s Encrypt officially entered public beta on December 3rd, 2015.
According to the Let’s Encrypt stats, there has already been over 1.5 million certificates issued.
There are quite a few invalid challenges still happening. But this will get better over time.
Here is a look at the TLDs being used by the certificates. After .coms, it is interesting to note that the European market seems to be heavily adopting Let’s Encrypt at a fast rate.
Let’s Encrypt Transparency
Let’s Encrypt is also dedicated to transparency in their operations and submit all certificates to certificate transparency logs as they are issued. You can view all issued Let’s Encrypt certificates at crt.sh, a free CT log certificate search tool from COMODO.
Certificate Transparency is an open framework for monitoring the TLS/SSL certificate system and auditing specific TLS/SSL certificates. It aims to remedy certificate-based threats by making the issuance and existence of SSL certificates open to everyone.
Domain Validation Only
Let’s Encrypt only supports domain validation certificates, which means you will get a green padlock in your address bar.
They have no plans at the moment to offer organization validation or extended validation certificates because these require human interaction and some form of payment.
How to Enable Let’s Encrypt Certificate
- Navigate to your zone’s advanced settings in the KeyCDN dashboard by going to Zones → Manage → Edit → and select Show Advanced Features.
- Scroll down to the SSL section and from the drop-down list select the LetsEncrypt option.
- Add a CNAME record in your DNS (Zonealias → Zone URL). DNS changes take some time depending on the TTL. Check that your new DNS record is active with the DNS Check Tool.
- Create a Zonealias for that zone. Note: If your zone already has a Zonealias, you must either remove it before changing the SSL option to LetsEncrypt or recreate it afterwards. Further, you cannot add a Zonealias if the CNAME record is not fully propagated.
Once the above steps are completed you will have secured your website with SSL for content delivery between the KeyCDN edge servers and your end users. Note: It will take a minimum of 5 minutes to deploy your new Let’s Encrypt certificate to the edge servers around the globe. We also recommend purging the cache on your zone.
You can also obtain a Let’s Encrypt certificate for your origin server using Certbot. Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client.”
Some Important Things to Note
Since Let’s Encrypt is still in beta, there are some limitations you should be aware of.
- Currently you are limited to only one Zonealias per zone when using Let’s Encrypt.
- There are currently restrictions in place regarding the amount of certificates per domain. The current limitation on certificates / domain is 20 certificates for a registered domain per week.
- Let’s Encrypt certificates are trusted by all major browsers. See list of known issues and March 2016 update in regards to Windows XP Let’s Encrypt certificate support.
- Currently these free certificates offer no warranties as compared to other SSL certificates. Warranty is an insurance for an end user against loss of money when submitting a payment on an SSL-secured site.
- Let’s Encrypt certificates expire every 90 days, but KeyCDN renews them for you automatically on the back-end. There is no need for you to do anything.
The Let’s Encrypt integration is very exciting and it brings us one step further to a more secure web! By allowing people access to free SSL certificates, we can expect the TLS adoption rate to dramatically increase as this eliminates both the cost and complexity of deployment.
Haven’t migrated to HTTPS yet? Now is the time to do so. Check out our HTTP to HTTPS migration guide. Already running shared SSL? Now you can move to a custom zone URL for free, give it a try in your KeyCDN dashboard.
If you experience any difficulties, as this is still in Beta, feel free to chat with us in our community or open up a support ticket.