Welcome to the Let's Encrypt Resource Hub!
A curated collection of the latest resources and information about Let's Encrypt and web security.
What is Let's Encrypt?
Let's Encrypt is a free, automated, and open Certificate Authority (CA) run by the nonprofit Internet Security Research Group (ISRG). It provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge, making it possible for websites to enable HTTPS encryption easily. As the world's largest certificate authority, Let's Encrypt is used by more than 550 million websites, significantly contributing to a more secure and privacy-respecting internet.
Key Features
Free Forever
Certificates are provided at zero cost, removing financial barriers to secure websites.
Let's Encrypt's mission is to create a more secure and privacy-respecting web by promoting widespread adoption of HTTPS. By eliminating costs, any website owner can secure their site, regardless of budget constraints.
Fully Automated
Software running on the web server can interact with Let's Encrypt to obtain certificates, securely configure them, and automatically renew them.
The ACME protocol (Automated Certificate Management Environment) enables automatic certificate issuance and renewal without human intervention, significantly reducing the risk of expired certificates and security lapses.
Secure & Transparent
Let's Encrypt serves as a platform for advancing TLS security best practices through both server and client implementation.
All certificates issued or revoked are publicly recorded and available for anyone to inspect through Certificate Transparency logs. This transparency helps maintain the integrity of the web PKI ecosystem and enables rapid detection of misissued certificates.
Open Source & Cooperative
All issuance and renewal protocols are published as open standards that others can adopt.
The ACME protocol developed by Let's Encrypt has been standardized through the IETF as RFC 8555. The Let's Encrypt client software (Certbot) and server software (Boulder) are all open source, enabling community contribution and transparency in operation.
Latest News & Developments
Short-Lived Certificates Coming in 2025
Let's Encrypt has announced a new offering of certificates with a lifetime of just six days, compared to their standard 90-day certificates. This change will enhance TLS ecosystem security by minimizing exposure during key compromise events.
Read MoreNew Issuance Chains Deployment (June 6, 2024)
Let's Encrypt will switch to using new intermediate certificates on June 6, 2024. Most subscribers won't need to take any action as ACME clients will automatically configure the new intermediates when certificates are renewed.
Read MoreOCSP Support Ending in 2025
The Online Certificate Status Protocol (OCSP) support will be phased out beginning January 2025, with complete termination by August 6, 2025. Certificate Revocation Lists (CRLs) will be used for certificate revocation instead.
Read More10th Anniversary Approaching
Let's Encrypt is approaching its 10th anniversary in 2025, having made significant progress in its mission to secure the web through free certificates.
Read MoreCore Resources
-
The main website provides comprehensive information about Let's Encrypt services, documentation, and how to get started with obtaining certificates.
-
A detailed explanation of the ACME protocol and how Let's Encrypt validates domain ownership and issues certificates automatically.
-
The official blog featuring the latest announcements, technical information, and milestone achievements from the Let's Encrypt team.
Technical Information
-
Information about Let's Encrypt's root certificates (ISRG Root X1 for RSA and ISRG Root X2 for ECDSA) and their intermediate certificates structure.
-
Details about Let's Encrypt's founding principles: free, automatic, secure, transparent, open, and cooperative approach to certificate issuance.
-
Comprehensive background information about Let's Encrypt's history, technology, and organizational structure.
Getting Started
Choose an ACME Client
Certbot is the most popular client, but there are many alternatives depending on your environment.
View Client OptionsInstall the Client
Follow the installation instructions for your chosen client on your server.
Certbot Installation GuideRequest a Certificate
Run the client to request and install your certificate automatically.
sudo certbot --apache
Verify Automatic Renewal
Ensure that automatic renewal is working correctly on your server.
sudo certbot renew --dry-run
Getting Started Guide
A beginner-friendly guide explaining how to obtain your first SSL/TLS certificate and implement it on your website.
View GuideCertbot
Information about the recommended ACME client for obtaining Let's Encrypt certificates on Linux web servers with minimal configuration.
Learn About CertbotGlobal Usage
Let's Encrypt has become the world's most popular certificate authority, securing websites across all continents.

Top 1 Million Websites
Over 20% of the top 1 million websites now use Let's Encrypt certificates
Growth Rate
Certificate issuance has grown by approximately 40% year over year
Market Share
Let's Encrypt holds approximately 60% of the SSL certificate market
Frequently Asked Questions
How long are Let's Encrypt certificates valid?
Standard Let's Encrypt certificates are valid for 90 days from the date of issuance. The short validity period encourages automation and ensures that compromised keys have a limited lifetime. Let's Encrypt recommends configuring automatic renewal to occur when certificates have 30 days of validity remaining.
In 2025, Let's Encrypt will also start offering short-lived certificates with a 6-day validity period for even greater security.
Are wildcard certificates supported?
Yes, Let's Encrypt supports wildcard certificates, which secure a domain and all its first-level subdomains (e.g., *.example.com). Wildcard certificates require DNS-based validation using the DNS-01 challenge type, as this proves control over the entire domain namespace.
Is there a rate limit for certificate issuance?
Yes, Let's Encrypt implements rate limits to ensure fair use of their service:
- 50 certificates per registered domain per week
- 5 duplicate certificates per week
- 5 failed validations per account, per hostname, per hour
- New orders are limited to 300 per account every 3 hours
These limits are designed to prevent abuse while allowing legitimate usage patterns.
How does Let's Encrypt verify domain ownership?
Let's Encrypt verifies domain ownership through challenges defined in the ACME protocol:
- HTTP-01 Challenge: Places a specific file at a well-known URI on the web server
- DNS-01 Challenge: Adds a specific TXT record to the domain's DNS configuration
- TLS-ALPN-01 Challenge: Uses TLS-based validation for specialized cases
Once verification is complete, Let's Encrypt issues the certificate.
How is Let's Encrypt funded?
Let's Encrypt is funded by sponsors and community donations. Major sponsors include Google, Amazon Web Services, Mozilla, Cisco, Facebook, and OVH. The Internet Security Research Group (ISRG), which operates Let's Encrypt, is a 501(c)(3) nonprofit organization dedicated to reducing financial, technological, and educational barriers to secure communication over the internet.