Let’s Encrypt To Support Wildcard Certificates Starting January 2018

The Internet Security Research Group (ISRG), which manages the Let’s Encrypt automated certificate authority service, announced that the service will support wildcard certificates on websites with multiple subdomains.

Rapid Growth

Let’s Encrypt has had rapid growth since its public debut less than two years ago, with over 100 million certificates having been already issued to website operators. This rapid growth happened partly because it finally made obtaining an HTTPS certificate free, but perhaps even more importantly because it makes it easy to install and update certificates.

Let’s Encrypt manages 45 million certificates that are currently in-use via its fully automated certificate issuance and management API. According to the nonprofit, the number of encrypted pages on the web has increased from 40% to 58% since the service was first made available in 2015.

Wildcard Certificates

Despite the high-demand for Let’s Encrypt certificates, not all websites were able to use it, even if they wanted to. Larger websites or blog platforms that have many subdomains couldn’t use Let’s Encrypt because it didn’t support wildcard certificates.

Wildcard certificates can secure an infinite number of subdomains belonging to a base domain. This allows the website operator to use a single certificate and encryption key pair, making it much easier to manage than having to assign a certificate to each subdomain. That would be especially difficult for blogging platforms with millions of subdomains, or platforms that auto-generate subdomain names for their users, such as the security-focused SandStorm.io.

"With wildcards now being offered, organisations who wish to use Let's Encrypt can now fully automate their certificate issuance processes," said Ivan Ristić, Feisty Duck, ISRG Technical Advisor, in an email to Tom's Hardware."This is a significant milestone because it will remove manual operations and further reduce friction on the road to a fully encrypted Web. For example, many SaaS providers rely on wildcard DNS to create new accounts on the fly. Matching that with wildcard certificates simplifies and speeds up the process and removes a point of failure," he added.

Let’s Encrypt will issue wildcard certificates free of charge via the upcoming ACME v2 API starting in January 2018. Base domain validation will only be supported via DNS initially, but additional options may be offered in the future.

Summer Fundraiser

The ISRG decided to announce the wildcard certificate in the middle of its summer fundraising campaign because, as a nonprofit, it depends on public donations from both individuals and companies.

Keeping the Let’s Encrypt service well-funded is important not just for the development of new features, but also to ensure that tens of millions-- and soon perhaps hundreds of millions--of certificates are issued in a secure way.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • tom10167
    And this tech site still doesn't have https!!!
  • spagafus
    For those with a known and fairly static number of sub-domains Let's Encrypt does support SANs. On the other hand a site with hundreds or thousands of sub-domains should really be able to afford wildcard certs from a commercial CA.
  • firefoxx04
    Toms is not even qualified to post about HTTPS. Granted, this site does use encryption for login, but why not site wide? Its 2017. Just do it already. Its pathetic.
  • Aragorn
    Agreed, toms really should have httpS. It also should not be hijacking my clicks to ask for my email that it already has each time I visit the site!