Skip to main content

Let's Encrypt

Link DigiCert​​®​​ Trust Lifecycle Manager to Let's Encrypt to enroll and manage certificates from the public Let's Encrypt certificate authority (CA).

Notice

Let's Encrypt offers public DV certificates with a maximum of 100 Subject Alternative Names (SANs) and a fixed validity period of 90 days.

Before you begin

You need an active DigiCert sensor to establish and manage the connection to Let's Encrypt:

  • Sensor version 3.8.62 or above required.

  • Set the communication interval (heartbeat) of the sensor to 5 seconds. You can verify and edit this on the sensor details page in Trust Lifecycle Manager, under Advanced Settings.

To issue certificates through a Let's Encrypt connector in Trust Lifecycle Manager, you need:

  • An active DNS integration to automate domain control validation checks during certificate requests.

  • Available certificate management seats in your account. You consume one such seat for each certificate issued via the Let's Encrypt connector.

Add connector

  1. From the Trust Lifecycle Manager main menu, select Integrations > Connectors.

  2. Select the Add connector button.

  3. In the Certificate authorities section, select the option for Let's Encrypt.

  4. Fill in the basic properties for the new connector:

    • Name: Assign a friendly name to this connector.

    • Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.

    • Managing sensor: Select the DigiCert sensor that will manage this connector. For successful Let's Encrypt integration, the sensor you select must have its communication interval (heartbeat) set to 5 seconds.

      Notice

      To adjust the communication interval, select the sensor on the Integrations > Sensors page and then select the pencil (edit) icon to edit it. Set the communication interval in the Advanced Settings section of the sensor details.

  5. Select Add to complete the link to Let's Encrypt.

Issue certificates

Prerequisites

To create certificate profiles and start enrolling certificates from the Let's Encrypt CA, you need:

Notice

Make sure you understand the rate limits that Let's Encrypt imposes on certificate issuance. To learn more, see www.letsencrypt.org/docs/rate-limits/.

Certificate template

Use the following base template to create certificate profiles in Trust Lifecycle Manager for issuing Let's Encrypt certificates.

Template name

Seat type

Enrollment methods

Let's Encrypt Public Server Certificate

Certificate management

  • DigiCert agent

  • DigiCert sensor

  • 3rd-party ACME client

Create profiles

Create each Let's Encrypt certificate profile from the above template. Complete the profile creation wizard based on your unique business needs and how you plan to deploy the Let's Encrypt certificates. Key profile settings for Let's Encrypt include:

  • Connector: Select the connector for the Let's Encrypt CA.

  • DNS integration: Select the DNS integration for automating domain validation checks.

  • Enrollment method: Select the method for enrolling certificates from the Let's Encrypt CA:

    • DigiCert agent: To request and deploy certificates on a web server using a DigiCert automation agent.

    • DigiCert sensor: To request and deploy certificates on an F5 BigIP network appliance, AWS Elastic Load Balancer (ELB), or AWS CloudFront using a DigiCert sensor. Support for A10 and Citrix ADC appliances will be added in a future release.

    • 3rd-party ACME client: To request and deploy certificates on a web server using a third-party ACME client like Certbot.

      Warning

      When using a third-party ACME client, certificate requests for more than 5 domains may experience timeouts due to the length of the domain validation process. This limitation does not apply when using DigiCert agents or sensors to enroll certificates.

  • Certificate expires in: Per Let's Encrypt policy, this is set at 90 days and cannot be changed.

To learn more about profile creation in Trust Lifecycle Manager, see Create certificate profiles.

What's next

  • Go to the Integrations > Connectors page in Trust Lifecycle Manager to view, check status, or manage a Let's Encrypt connector.

  • Use the certificate profiles you created in Trust Lifecycle Manager to get certificates from the Let's Encrypt CA via the enrollment methods you selected.

  • View and manage the issued Let's Encrypt certificates from your Inventory page.

  • For a pre-filtered inventory list of certificates associated with a particular connector, go to Integrations > Connectors and select the View managed certificates action for the connector.

In this section: