Comparison of Lets Encrypt Clients

Hi All

One of the things I really like about about wikipedia is the comparison of different libraries.

For example: https://en.wikipedia.org/wiki/Comparison_of_cryptography_libraries

One of the things I think that would help with understanding library capabilities is to have a list of features.

This is what I am thinking:

Identity Establishment
Private or Public Keys
Storage Method (file, cryptostore)
Support for Password Protected Keys
Bit and Key Type Support

CSR Generation
Manual specification
SAN Support
Parsing of Config Files
Support Web Server Config FIles

Validation
DNS
HTTP
TLS-SNI
Out of Band
Automatic DNS record creation
Which DNS Providers are support
DNS Record testing
HTTP Automatic File Creation
Automatic MIME creation (if needed)
HTTP Record Testing
TLS-SNI Certificate issuing
Testing

Web Server mode

JWS Library used
Crypto LIbrary Used
ASN1 Library Used
BASE64 Library Used

Installation of Certificates
Manual Install Only
Automatic Install

Renewal of certificates
Automatic Renewal
Automatic Installation

Has anyone done this kind of analysis of the various libraries? If so does anyone have a link

Also I am sure I am missing lots of other things so am looking for people to help out

I’m not sure I understand fully.

Are you thinking about what each client offers ( i.e. for each of the different clients does it offer DNS validation ) ? … more like https://en.wikipedia.org/wiki/Comparison_of_SSH_clients

or something different ?

Hi Serverco

Something similar to this: https://en.wikipedia.org/wiki/Comparison_of_cryptography_libraries

We break down the issuance process in to major steps

A) Create a Lets Encrypt Account
B) Create a CSR
C) Submit CSR and Choose Challenge
D) Complete Challenge
E) Download Certificate
F) Install Certificate
G) Renew Certificate

Different clients have different ways of going about it.

For example: certbot will go from start to install where as a client such as zerossl will not allow you to install and automatically renew certificates

Also a bit of theory about how the client for example parses config files. I think if this is documented people can make good decisions about what clients to use and what ones will work in their environments.

I guess I don't understand what you mean by "Library"

The headings on the table you refer to include;

Implementation, Company, Language ...Latest Update, Origin

I don't see how this applies to

A) Create a Lets Encrypt Account
B) Create a CSR
C) Submit CSR and Choose Challenge

Hi Serverco

I think client is the official term. So I will continue to use this.

I think it might be a bit more complex than it seems at the first glance, especially if it is about libraries. Most libraries and some clients are flexible enough to do more than what they offer “out of the box” - they can provide challenge/completion hooks or allow keys to be loaded from arbitrary storage rather than just file. So you might need more than just Yes/No, but also something like ‘Via plugin’ or ‘Scriptable’.

I second the motion. Currently, the documentation for the list of clients is arranged individually, which makes it hard to select the one client that might appeal the best in a specific situation. Having a table that lists all the clients and gives most of the characteristics of each one would be a big help in finding that one client that might meet the specific needs better than the standard one (Certbot).

And my example would be https://en.wikipedia.org/wiki/Comparison_of_web_server_software, which compares various web servers according to a large number of characteristics. Notice how the table is broken into pieces, which handles the large number of characteristics nicely.

The table could be published as part of the LE faq, or it could be added to Wikipedia.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.