Let's Encrypt Issuance Environment Enquiry


Let’s Encrypt seems to be using a set of CA software either modified or built from scratch. I am curious about the current environment of the Let’s Encrypt Issuance CA hosted by Let’s Encrypt. Let’s Encrypt is a transparent and easily accessible issuing CA for the masses to adopt their own certificates. Managing a CA and it’s environment is a daunting task (from experience) and all kinds of certification is necessary (WebTrust CA Certification).

1.) Does Let’s Encrypt’s current environment use a particular Sub CA account of another known CA (e.g. a reseller account of Verisign certificates)

2.) If Let’s Encrypt’s environment hosts it’s own CA setup, does it use a software keystore for it’s private CA key or does it use a HSM (do elaborate if possible) ?

3.) Do Administrators use either a software PKI cert, hardware protected PKI cert or simply password to handle administration of the CA systems ?

4.) Is the Let’s Encrypt cryptographic keystore protected by requiring a N out of M split of control or simply a single master control ?


Can I suggest an initial read of the main pages - which answers many of your questions such as https://letsencrypt.org/certificates/ https://letsencrypt.org/howitworks/technology/ and a quick search of the forum here

I’m mainly saying this as I know most of these questions are answered in those places, and I’m not in any position to answer on behalf of LE.