Let’s Encrypt SSL证书试用

Let’s Encrypt (进入官网) 是一个开放的CA项目,旨在让每个网站都能使用HTTPS加密,该项目获得了思科、Mozilla、Akamai、IdenTrust和EFF等组织的支持,由Linux基金会托管。

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

从15年初我便开始观察这个项目的进展,终于在11月,Let’s Encrypt颁发了第一张证书。从12月起,Let’s Encrypt开始了公测。我也在第一时间试用了这个所谓的免费SSL证书。

安装并不复杂,从GitHub上拉取项目代码,在本地生成SSL的Private Key,在Nginx中加入对443端口的监听,并加入ssl key即可。具体安装过程在Let’s Encrypt的官方Docs中有详细的介绍(Doc: https://letsencrypt.readthedocs.org/en/latest/index.html)。对于WordPress,还需要稍微修改下后台的链接,在设置中将链接修改成https方式即可使用。

总的来说,Let‘s Encrypt的部署过程十分容易且操作友好,有简单的图形界面(符号拼图),可以说在功能上已经较为完整。生成的证书也可以被主流浏览器识别,在一些无需要求太高的网站上已经十分适用。但是生成的SSL证书有效期只有三个月,需要每三个月重新生成一次,所以增加了维护成本。当然,写个脚本每三个月自动生成一次自然是更加聪明的做法。


电子邮件地址不会被公开。 必填项已用*标注