Current revision: 0.4
Last update: 2017-03-22 18:42:07 +0200 UTC
The fool doth think he is wise, but the wise man knows himself to be a fool.
W. Shakespeare , As You Like It - 1603 A.D.
The current CA system is fundamentally broken. However, using a secure socket layer (SSL) protects our services from attacks, like MiTM attack for example, prioritises the website to search engines and makes your website faster.
If you run any kind of services, then SSL is paramount. The problem you might face using self-signed certificates is the little annoying red
https bar and the fact that you have to specifically allow unsigned certificates to literally every program (or library) you’re going to use.
There is a new initiative called let’s encrypt who aims to make SSL omnipresent by issuing certificates for domains free of charge. Let’s encrypt won’t issue an EV certificate, but you can use the same certificate for multiple domains.
Now the service is in public beta, so the certificates issued are limited. However, you can still apply using this google form.
It will take a couple of days, maybe weeks, but at some point you will receive a certificate with installation details. The installation process on FreeBSD is pretty straight forward:
$ git clone https://github.com/letsencrypt/letsencrypt $ cd letsencrypt $ sudo ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth $ ls /etc/letsencrypt/live/domain.name/fullchain.pem
pem file is ready to use with NGINX or any other service you might need. Note that these certificate are issued for 90 days only and must be renewed manually for the time being. Later, the process of renewal will be automated.
There is also StartSSL who will issue a valid certificate for a specific domain for free. StartSSL will issue the certificate for one year.
I wish GnuPG was pushed as hard as
https, although there are several projects who try to make GPG easy to use, unfortunately they don’t get the deserved traction.