Let’s Encrypt is releasing wildcard certificates in 2018! This was actually announced a few months ago, but since 2017 is almost over, I think this is a good time to revisit this.

Background info

A Certificate Authority (CA) is an organization trusted to release cryptographic certificates for websites and such. When you’re browsing and see https:// instead of http://, the site you’re visiting is using an SSL/TLS certificate from a CA. Such a certificate encrypts communications between your browser and the site you’re visiting, preventing it from being intercepted and read by third parties.

Additionally, CAs may validate that the cert requester:

  1. Can control the domain name (example.com) for which they are requesting a certificate;
  2. Owns the domain name as the organization/legal entity on record;
  3. Actually is a real legal entity, AKA Extended Validation (EV), in which case you’d also see their name in the location bar.

#2 and #3 grant you additional levels of assurance that the website you’re visiting is genuine. Generally though, ordinary users don’t bother to check the cert details. At most, they’d glance at the location bar, see that it says Secure and go right on. That’s usually good enough. The only time I personally take extra caution is when dealing with an e-commerce or banking site for the first time.

SSL/TLS certs usually cost a lot, especially if #2 and #3 are involved. Certs which only undergo domain validation (#1) have dropped in price, but are still around $10/year from a budget provider. These certificates usually expire in at least a year.

A regular certificate is issued for only one hostname at a time, e.g. www.example.com but not blog.example.com. (Nowadays, they usually throw in one for www when you get a cert for example.com.) A wildcard certificate is one that secures any subdomain, e.g. shop.example.com, support.example.com etc. They cost even more. Much more.

Let’s Encrypt

Let’s Encrypt is a CA. It differs from the rest in that they offer:

  1. Free domain-validated certificates;
  2. Free subdomain certificates (you’ll need to specify them during registration);
  3. Automated installation and renewal for many server configurations.

Their certicates expire in 3 months, but as mentioned, these can be renewed automatically if you have a supported configuration.

As per #2, you can specify what subdomains you want when you request a certificate. So why is their offering free wildcard certificates a big deal? For me, it’s because companies (especially blog providers like Tumblr, and technical service providers like hook.io) finally have a viable way of offering free https subdomains and custom domain/subdomain names to their users.

Visit aidemo.hook.io. It will give you a scary warning, but if you click through, it will still give you an encrypted connection, but this time with something like Not secure in your browser. Once hook.io sets up a wildcard certificate, this warning won’t appear.

Scary warning in Chrome

I am also looking forward to this as I have a personal project in mind that will definitely benefit from wildcard certs. Here’s to 2018!

Donate to Let’s Encrypt!