The future of Certificate Authorities

With the advent of the fully automated and free of cost certificate authorities Let’s Encrypt and StartCom there is no doubt that the future of CAs are changing.

After Let’s Encrypt entered the market, use of HTTPS has increased massively. But they are not the first free provider of “SSL certificates” (the correct term is “X.509 certificates” – we don’t even use SSL anymore) in the market. StartCom have been issuing their “Class 1” certificates for years already. What’s changed is the automation of the whole issuing/acquirement process.

Before automatically issued certificates

Before Let’s Encrypt went public, acquiring a certificate was a tedious task. Usually, the process was like this:

  1. Generate a keypair
  2. Generate a certificate signing request (CSR)
  3. Order a certificate – including:
    • Going through a payment process, which also includes
      • Getting hold of the company card
      • Emailing the receipt to accounting
      • Notifying the project manager to get the cost in some project management thingie (WTF do I know?)
  4. Uploading the CSR
  5. Choosing what predefined email address the authorization request would be sent. At this point you would reconsidering your career choice as the next task is:
  6. Explaining the client who worked in marketing understand this step which is:
    • They must explain their IT staff (who they probably are really unwilling to talk to because marketing and IT despise each other, right) that they need to setup an “admin-looking” email alias, from a list of options provided by you, for their email account because they are about to perform at task that IT staff consider is within their domain (those BOFHs!).
    • To the said email address, they will receive an email message usually containing a code and a link. They must follow that link and maybe insert the code on a page that probably have a button with the text “Authorize” or similar or something entirely different, but they must perform the task of authorizing the issuing of a “SSL certificate”, which might be called a “X.509 certificate” in the email/website.
  7. Take a Prozac/Valium cocktail while you wait for the client to respond to the previous step and have the CA send you the certificate.
  8. Install the certificate and be happy that it will be 3–5 years until the next time you have to repeat this process for renewal for this domain (depending on CA).

After automatically issued certificates

Before Let’s Encrypt went public acquiring a certificate works like this:

  1. Install the client software if it isn’t already (one-line command)
  2. Run the client software (one-line command)
  3. Install the certificate (if the client software doesn’t do it for you).
  4. Setup a cronjob to automatically renew the certificate at a given interval (one-line command)

By the way, this is how you use Let’s Encrypt with Nginx.

Other CA’s than Let’s Encrypt

To be honest, Let’s Encrypt has its limitations. The most important ones are:

  • It is only for domain validated certificates, so no green address bar in the browser which requires extended validation (EV certs)
  • No wildcard URLs, so you have to specify all subdomains at the certificate issuing request time
  • API limits per domain/host/IP

Earlier this year, StartCom announced their automated service for acquiring certificates. They offer both a free and a premium service. I haven’t tried them yet, but I can see why someone would be willing to pay for a premium service.

Premium services

Premium services are where the CA’s can distinguish themselves. Up until now, there have usually been zero reasons to not just use the cheapest one. The exception would be if you have a need for a large amount of EV certs – then you would choose a CA that would let you issue them yourself after the initial validation.

Issuing a self-signed certificate is a one-line command, so CA’s are mostly useless. Now that they have competition in Let’s Encrypt and StartCom which provides a smoother experience at a price you can’t beat, they need to provide some extra value.

I think there is a market for a premium service with features like:

  • No API usage restrictions
  • EV Certs (green address bar)
  • Wildcard certificates
  • Control panel where you can manage certificates, access, revocation, etc.
  • Client certificates
  • Far future expiry date

Start providing value or be gone

The CA business has long thrived on the misinformed public that has believed there’s something like a “quality certificate” or that which CA you used mattered. This notion might exist for a while further, but now that the CA’s will have to compete on actual value, this will probably not matter as much anymore.

If you’re a CA, and you don’t start providing real value, a great user experience and a good service, you will be gone in a not too distant future.

For us users, we will finally get good service from the CA’s. Our experience in dealing with them will only improve, as they will have to fight for us. We will see better API’s, better services and better management tools.

The future is bright for users and certificate authorities who are ready to turn themselves into a customer-centric business.

Sidenote: The future of the CA model itself

The CA model we’re currently using is severly flawed, and might be replaced by something like DANE in the future. While not perfect because DNSSEC isn’t perfect, INHO it is at least better. In the long term future of certificate authorities, they are hopefully non-existant. In the meanwhile, make sure you use HTTP Public Key Pinning to secure your site and users.

1 Comment

  1. Hi bjorn. Yes i was reading a tutorial on how to install valid ssl cs on my owncloud droplet. And after many hours stumbled upon lets encrypt certbot which did it in less than 1 minute.

Comments are closed.