Let’s Encrypt, a nonprofit certificate authority launched in 2016, has delivered on its pledge to offer free certificates that enable secure HTTP connections for complete domains.
The organization’s new wildcard certificate service, allowing website operators to secure all subdomains of a domain with a single certificate, should help the Internet become more secure by enabling wider deployment of HTTPS, Josh Aas, executive director of the Internet Security Research Group, wrote in a blog post. (Full disclosure: the Internet Society is a major sponsor of Let’s Encrypt.)
Last July, Let’s Encrypt had promised that it would offer free wildcard certificates. With the recent release of the ACMEv2 [Automatic Certificate Management Environment] Protocol, the organization delivered on that promise.
“Wildcard certificates can make certificate management easier in some cases, and we want to address those cases in order to help get the Web to 100% HTTPS,” Aas wrote. “We’re excited about the prospect of a 100% HTTPS Web and we’re working hard to get there.”
A wildcard certificate isn’t recommended for all websites, Aas noted. In most cases, other certificates, such as single-domain ones, will be more appropriate.
Although wildcard certificates enable streamlined management of HTTPS, some security experts see a potential vulnerability when one is used to secure a large number of websites and the certificate’s private key is compromised. Then, the hacker could use the key to set up a rogue website.
The new wildcard certificates are only available with the new ACMEv2 protocol. To use ACMEv2 for wildcard or non-wildcard certificates, websites will need to be updated to a new ACME client, Aas wrote. Let’s Encrypt will continue to support ACMEv1 for now.