The Internet Security Research Group (ISRG), which manages the Let’s Encrypt automated certificate authority service, announced that the service will support wildcard certificates on websites with multiple subdomains.
Let’s Encrypt has had rapid growth since its public debut less than two years ago, with over 100 million certificates having been already issued to website operators. This rapid growth happened partly because it finally made obtaining an HTTPS certificate free, but perhaps even more importantly because it makes it easy to install and update certificates.
Let’s Encrypt manages 45 million certificates that are currently in-use via its fully automated certificate issuance and management API. According to the nonprofit, the number of encrypted pages on the web has increased from 40% to 58% since the service was first made available in 2015.
Despite the high-demand for Let’s Encrypt certificates, not all websites were able to use it, even if they wanted to. Larger websites or blog platforms that have many subdomains couldn’t use Let’s Encrypt because it didn’t support wildcard certificates.
Wildcard certificates can secure an infinite number of subdomains belonging to a base domain. This allows the website operator to use a single certificate and encryption key pair, making it much easier to manage than having to assign a certificate to each subdomain. That would be especially difficult for blogging platforms with millions of subdomains, or platforms that auto-generate subdomain names for their users, such as the security-focused SandStorm.io.
“With wildcards now being offered, organisations who wish to use Let’s Encrypt can now fully automate their certificate issuance processes,” said Ivan Ristić, Feisty Duck, ISRG Technical Advisor, in an email to Tom’s Hardware.
“This is a significant milestone because it will remove manual operations and further reduce friction on the road to a fully encrypted Web. For example, many SaaS providers rely on wildcard DNS to create new accounts on the fly. Matching that with wildcard certificates simplifies and speeds up the process and removes a point of failure,” he added.
Let’s Encrypt will issue wildcard certificates free of charge via the upcoming ACME v2 API starting in January 2018. Base domain validation will only be supported via DNS initially, but additional options may be offered in the future.
The ISRG decided to announce the wildcard certificate in the middle of its summer fundraising campaign because, as a nonprofit, it depends on public donations from both individuals and companies.
Keeping the Let’s Encrypt service well-funded is important not just for the development of new features, but also to ensure that tens of millions– and soon perhaps hundreds of millions–of certificates are issued in a secure way.