SSL Certificates

LetsEncrypt is a non-profit service that offers free SSL certificates for web servers and uses an automated validation and renewal system.

For validation, the owner, LetsEncrypt, employs a don't call us, we'll call you approach similar to two-factor authentication.

LetsEncrypt sends the owner of the domain a secret key. After that, LetsEncrypt calls the domain the certificate is requested for and asks for the secret key.

LetsEncrypt offers various ways in which it can call the requesting server back. This callback is mandatory. LetsEncrypt can only work for servers that can be reached by LetsEncrypt. The domain must be accessible via the public internet.

An alternative to a trusted public certificate authority (CA), particularly for larger organizations, is running a private Company CA.

In companies with a private Company CA, the SSL certificate is configured as a trusted root on all of the company's devices. This enables the company to issue and sign their own certificates which are trusted by all company devices.

For cloud hosting solutions, a private Company CA can only be used if the server is set up within the company network.

Self-signed certificates are signed by their owner themselves.

For a self-signed certificate, there is no chain of trust above the certificate itself – the owner is its own certification authority.

For a device to trust the certificate, it must be explicitly told that the certificate is trustworthy by adding the certificate as a Trusted Root Certificate Authority.