Let’s Encrypt for Companies with KeyChest

Category : https , keychest , letsencrypt

Unifying Let’s Encrypt and Long-term Certificates

Let’s Encrypt has a number of downsides when used on a large scale. It uses modern key management protocols, but the high-level of automation requires management. This is what KeyChest provides.

Each blue box can be just one click.

The “zero” cost of Let’s Encrypt certificates is balanced-out with two main downsides: rate limits and short lifetime of certificates. While it’s great to get a free product, it becomes somewhat dangerous when you start relying on it without giving a proper thought to what should happen in 3 months’ time when you need to renew it.

There is also an adoption barrier as Let’s Encrypt uses an automation for renewals (so called ACMEv2 standard) and it requires a complete change in the way you manage your certificates.

Nevertheless, Let’s Encrypt is a viable option for HTTPS and other encrypted internet services.

The US government has been using Let’s Encrypt on its gateways for some time now – a list of domains from just one such certificate.

There are many instances where operational teams choose to deploy a Let’s Encrypt certificate when an important service went down due to an expired certificate or the time left is too short to follow usual purchasing. Now imagine you have hundreds such certificates – how can you keep on top of them all?

KeyChest is now testing (Dec 2019) a new proxy service, which provides a valuable information about the status of Let’s Encrypt certificates. The use requires a small change to the way you use KeyChest agents – Certbot by setting an HTTPS_PROXY. If your existing command is “certbot renew”, the new version would be:

“export HTTPS_PROXY=https://test.keychest.net:6443; certbot renew”

KeyChest will start logging all your requests and create statistics of your usages of Let’s Encrypt. You will instantly get information about the activity of your Certbot agents and detect issues when they happen – not when your certificates start expiring.

This also helps to comply with Let’s Encrypt rate limits, some of which are fairly strict:

  1. maximum of 5 new certificates per domain per week;
  2. 50 certificates per registered domain per week;
  3. 300 new “orders per account per 3 hours; or
  4. 5 failed validations per account per hour.

Deep Let’s Encrypt Proxy

While the monitoring will get you on top of your Let’s Encrypt usage and reduce the risk of downtimes. Our ambition is to unify ACME and “legacy” certificate issuers.

We achieve that with a deep proxy that does the actual communication with the Let’s Encrypt issuing servers and also validation challenges.

This allows us to forward certificate requests to Let’s Encrypt, Comodo, Symantec, … or any other certificate issuer according to your requirements. To further simplify your IT operations, our proxy architecture allows endpoint agents to be much smaller with fewer dependencies and installation issues.

Keychest agent – one internal proxy per network, is a single gateway with an access control to minimize any new additional risk.

You can either forward (an HTTP reverse proxy) validation requests directly to the KeyChest service, or use our lightweight agents available to the Small Enterprise customers.

Many companies are considering switching to Let’s Encrypt. What we offer is a management service to keep your commercial certificates while simplifying the configuration of your servers and preventing downtimes.

KeyChest has a complete database of all internet certificates and can automatically start monitoring any new servers and services you create – providing you with ongoing 100% coverage of your registered domains.


Web Encryption – Punishment of SMBs by Tech Giants?

Mandating use of HTTPS / SSL certainly seems to have something in common with security certifications like FIPS140-2 or Common Criteria. Very few understand how it really helps, how complex it is but many already know how costly it can be.

“Read More”

KeyChest supports free web encryption

Category : https , keychest , letsencrypt , security

A new version of KeyChest for 2019 with Free personal end-to-end monitoring of up to 500 servers. Most preparations went up in smoke but we made it.

“Read More”

Real-Time Certificate Info – 5,560,000,000 KeyChest Index

We have finally completed a GLOBAL certificate look-up table for real-time notifications in our re-designed KeyChest service. KeyChest has been using an external service to check for new certificates. This has become unsustainable due to the number of users and certificates we monitor.

“Read More”

Automate certificate monitoring with free API – KeyChest

Our certificate monitoring KeyChest has an initial RESTful API for remote enrolment of new certificates and for checking certificate expiry. Its design supports automation without any initial security/authorization setup.

“Read More”

Planning TLS certificate renewals – define a process

This text is about creating a process around planning certificate renewals. As part of our KeyChest re-design, we created a sequence of meaningful checks for TLS certificates to get them always renewed before your web services go down.

“Read More”

Major KeyChest Incident – We Turn It Into Serious Business

KeyChest HTTPS monitoring started small – to help us manage our certificates and its free service grew with interest. It’s the right approach from the business point of view, but it has its dark side. A major incident flashed it out last Saturday.

“Read More”

Let’s Encrypt uptime is 99.9% — or 98.8% without defects in 2017

Category : https , letsencrypt

As I was collecting reliability data for several PKI systems, I included Let’s Encrypt as it’s by far the biggest PKI system I was aware of. It provides its status data and its history at https://letsencrypt.status.io and here’s my informal analysis of its production systems.

“Read More”

Let’s Encrypt certificates with one name on different servers

Category : https , letsencrypt , security

This is an interesting one. The first impulse is to simply answer NO, you can’t do it, that’s the point of HTTPS. But it’s all about networking and one can do quite some magic with proxies, forwarding, and the SNI extension in TLS protocols.

“Read More”

Let’s Encrypt in the spotlight

We have compiled all practical information we could find and written it up at Numbers you need to know. It’s a long list of restrictions, rate limits, and other useful information to keep in mind.  Here’s a few selected points that we found interesting. Big thanks to schoen from Certbot/EFF for pointing out numerous inaccuracies.

“Read More”