A solid intro into SSL to understand how lets ecrypt works


#1

Can someone maybe provide some reading material so I can understand how SSL and letsecyrpt works?

I’m trying to understand how letsencrypt came about and how the whole process works at a high level.
I’m just a little confused as to how a free service came about.
Meaning, when you issue a certificate did it have to go through some approval body so that browsers support it? if I create a cert myself, I’m guessing it won’t have much browser support.

Sorry for not being too direct in nature but I don’t have enough background SSL knowledge to ask a more direct question.


#2

Let’s Encrypt went through all the checks to be an approved certificate authority. You can find all the legal documents and Webtrust audits in the Let’s Encrypt repository.

Furthermore, as the Let’s Encrypt root certificate itself isn’t yet trusted by all common browsers (let alone older browsers), the Let’s Encrypt Intermediate certificate (which is used to sign all end-user certificates issued by Let’s Encrypt for free) is cross-signed by a root certificate from a company called IdenTrust. IdenTrust itself is a trusted certificate authority of which the root certificate is in browser root certificate stores for years. It’s also a Gold Sponsor of Let’s Encrypt.

Some day, in the future when old browsers without the Let’s Encrypt root certificate aren’t in use any more, Let’s Encrypt will switch the Intermediate certificate from cross-signed by IdenTrust to signed by Let’s Encrypts own root certificate.


#3

The overall process is that certificate authorities have to apply to browsers to be listed as trusted roots. The browsers (acting on behalf of their users) decide which certificate authorities they consider trustworthy, through each browser’s activity called a “root program” (as in a course of activity, as opposed to a piece of software).

For example, Mozilla’s is described at

https://wiki.mozilla.org/CA

The main thing that a certificate authority has to do in order to apply to be included in a root program is create appropriate policies and infrastructure (like those described in the policy repository that @Osiris linked to) and then be audited through the Webtrust or ETSI certificate authority auditing process to confirm its compliance with its policies.

However, as @Osiris also noted, certificate authorities that directly issue certificates to end users operate as intermediate CAs, which are signed by roots (which may be other organizations, as in the case of IdenTrust signing Let’s Encrypt’s intermediate certificate to approve Let’s Encrypt as a trusted CA). By default, browsers will believe trusted root CAs’ assertions about intermediate CAs’ trustworthiness, so this delegation of trust will be accepted. According to current industry rules, intermediate CAs also have to publish policies and pass through Webtrust or ETSI audits concerning their policy compliance.

Overall, these decisions are made by the web browsers in response to audit statements and also other evidence about CAs’ behavior. For example, browsers have imposed punishments on CAs that they concluded were violating rules or policies or otherwise acting improperly.

You can read about the industry standards that all publicly-trusted CAs’ policies and practices are expected to conform to here:


#4

Wikipedia’s page on Certificate Authorities also gives a variety of information, both technical and organizational.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.