Let’s Encrypt seems to be using a set of CA software either modified or built from scratch. I am curious about the current environment of the Let’s Encrypt Issuance CA hosted by Let’s Encrypt. Let’s Encrypt is a transparent and easily accessible issuing CA for the masses to adopt their own certificates. Managing a CA and it’s environment is a daunting task (from experience) and all kinds of certification is necessary (WebTrust CA Certification).
1.) Does Let’s Encrypt’s current environment use a particular Sub CA account of another known CA (e.g. a reseller account of Verisign certificates)
2.) If Let’s Encrypt’s environment hosts it’s own CA setup, does it use a software keystore for it’s private CA key or does it use a HSM (do elaborate if possible) ?
3.) Do Administrators use either a software PKI cert, hardware protected PKI cert or simply password to handle administration of the CA systems ?
4.) Is the Let’s Encrypt cryptographic keystore protected by requiring a N out of M split of control or simply a single master control ?