pts2024

Let’s Encrypt is the world’s leading free and open (-source!) Certificate Authority. In the 10 years since the organization was founded, and 5 years since the ACME (Automated Certificate Management Environment) protocol was standardized, we have issued over 4 billion TLS certificates. Every day we issue 4 million more, covering 400 million unique domain names and providing 48% of all publicly-trusted TLS certs at any given time.

So what happens when something goes wrong, and all of those certificates need to be revoked?

Naively:

• your CRLs will become so large that your HSM will refuse to sign them and clients will fail to download them;
• your OCSP service will saturate your HSM’s signature capacity, potentially causing another incident as you fail to revoke all the certificates within the required timeframe;
• millions of websites will display opaque and confusing TLS errors, training browser users to blindly click through important security warnings; and
• the resulting spike in issuance as everyone tries to get a new un-revoked certificate will take down your entire infrastructure.

Not fun!

Let’s Encrypt has been in this situation. And from our past experience, we’ve implemented three techniques to mitigate the worst of these effects:

• Sharding our CRLs, and providing these smaller shards to browser-based CRL aggregation systems like CRLite, CRLsets, and Valid;
• Live-signing OCSP responses only when they are actually asked for, and caching those responses in a lightweight in-memory lookaside cache; and
• ACME Renewal Information, an extension to the ACME protocol which allows the server to suggest to clients when they should renew their certificates.

In this talk I’ll cover the motivation of why these are important problems to solve, the technical details of both the failure modes and our solutions, and how a team of just 13 engineers is able to keep all of this running.