| We're working on an FAQ. This thread has been really helpful in clarifying which Qs are FA :) With regard to your questions: > Will it provide wildcard certs? Not initially, but possibly in a future iteration. Note that having an automatic CA addresses some of the use cases for wildcard certs. Namely, if you're using a wildcard cert just to avoid having to manage individual certs for foo-1.example.com through foo-N.example.com, you can just have them each automatically get a specific cert. > How does it auto-renew, does it have to run all the time? That will depend on the software running on the web server. The current "node-acme" and "lets-encrypt-preview" implementations in the Github repo are examples. Ultimately, in addition to these tools, it would be great to have ACME / LE support built into web server platforms, which are already running all the time. > Why is the cert for identrustssl not trusted in Chrome or Safari? That doesn't inspire confidence : https://www.identrustssl.com/ I don't know what the story is with that site, but I believe the Let's Encrypt CA will be cross-signed under the same IdenTrust CA that issued the cert for https://letsencrypt.org/. So Let's Encrypt certificates should work wherever that site works (which includes Chrome and Safari, at least on my MacBook). > Can every CA support issuing certs this way please? :) I can't speak for other CAs, but we are definitely open to other CAs re-using technologies from Let's Encrypt to automate their operations. It would be even better for them to collaborate in developing the protocol. That's why we wrote ACME up using the IETF's document format, so that it can be developed in the IETF's open process with many stakeholders involved. |
OK, good to know.
Ultimately, in addition to these tools, it would be great to have ACME / LE support built into web server platforms, which are already running all the time.
I see, thanks, hence the emphasis on protocol not product. Great idea, let's hope it takes off, it'd be really nice to be able to just add a config for ssl_on and let the server deal with the rest. I suppose it's early days for discussions with server providers?
I don't know what the story is with that site
It's weird how old and busted CA sites are, almost without exception, I guess I shouldn't be surprised that a place selling certs doesn't even use them properly, but as you point out, they've issued letsencrypt.org, and that works fine. Good to know.
So Let's Encrypt certificates should work wherever that site works
This would be a great line for your how it works, rather than browser-trusted, which could mean anything really.
Thanks again for this great idea, looking forward to trying it out.