Skip to main content

Let's Encrypt

Link DigiCert​​®​​ Trust Lifecycle Manager to Let's Encrypt to enroll and manage certificates from the Let's Encrypt certificate authority (CA).

Let's Encrypt issues public DV certificates with a fixed validity period of 90 days and a maximum of 100 Subject Alternative Names (SANs).

Before you begin

You need an active DigiCert sensor to establish and manage the connection to Let's Encrypt:

  • Sensor version 3.8.62 or above required.

  • Set the communication interval (heartbeat) of the sensor to 5 seconds. You can verify and edit this on the sensor details page in Trust Lifecycle Manager, under Advanced Settings.

Add Let's Encrypt connector

  1. From the Trust Lifecycle Manager main menu, select Integrations > Connectors.

  2. Select the Add connector button.

  3. In the Certificate authorities section, select the option for Let's Encrypt.

  4. Fill out the form to configure the connector settings:

    • Name: Assign a friendly name to this connector.

    • Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.

    • Managing sensor: Select the DigiCert sensor that will manage this connector. For successful Let's Encrypt integration, the sensor you select must have its communication interval (heartbeat) set to 5 seconds.

      Note

      To adjust the communication interval, access the sensor from the Discovery & automation tools > Sensors page and then select the pencil (edit) icon to edit it. Set the communication interval in the Advanced Settings section of the sensor details.

    • Let's Encrypt environment: Select the Let's Encrypt CA environment to issue certificates from.

      • Production to issue publicly trusted certificates from the production Let's Encrypt CA.

      • Staging to test certificate issuance using a non-production CA with less stringent rate limits.

      Warning

      After adding the connector, you cannot change the Let's Encrypt environment for it. To use both Let's Encrypt environments, add a separate connector for each.

  5. Select Add to create the Let's Encrypt connector with the configured settings.

Issue certificates

Prerequisites

To issue certificates through a Let's Encrypt connector in Trust Lifecycle Manager, you need:

  • An active DNS integration to automate domain control validation checks during certificate requests.

  • Available Certificate management seats in your account. You consume one such seat for each certificate issued via the Let's Encrypt connector.

Note

Make sure you understand the production rate limits that Let's Encrypt imposes on certificate issuance. To learn more, see www.letsencrypt.org/docs/rate-limits/.

Certificate template

Use the following base template to create certificate profiles in Trust Lifecycle Manager for issuing public Let's Encrypt certificates.

Template name

Seat type

Enrollment methods

Let's Encrypt Public Server Certificate

Certificate management

  • DigiCert agent

  • DigiCert sensor

  • 3rd-party ACME client

Create profiles

Create each Let's Encrypt certificate profile from the above template. Complete the profile creation wizard based on your unique business needs and how you plan to deploy the Let's Encrypt certificates. Key profile settings for Let's Encrypt include:

  • Connector: Select the connector for the Let's Encrypt CA.

  • DNS integration: Select the DNS integration for automating domain validation checks.

  • Enrollment method: Select the method for enrolling certificates from the Let's Encrypt CA:

    • DigiCert agent: To request and deploy certificates on a web server using a DigiCert automation agent.

    • DigiCert sensor: To request and deploy certificates on an F5 BigIP network appliance, AWS Elastic Load Balancer (ELB), or AWS CloudFront using a DigiCert sensor. Support for A10 and Citrix ADC appliances will be added in a future release.

    • 3rd-party ACME client: To request and deploy certificates on a web server using a third-party ACME client like Certbot.

      Warning

      When using a third-party ACME client, certificate requests for more than 5 domains may experience timeouts due to the length of the domain validation process. This limitation does not apply when using DigiCert agents or sensors to enroll certificates.

  • Certificate expires in: Per Let's Encrypt policy, this is set at 90 days and cannot be changed.

What's next

  • Monitor and manage certificates from your Inventory page in Trust Lifecycle Manager.

  • Go to the Integrations > Connectors page to view, check status, or manage a connector.

  • Select one of the View actions for a connector to load a pre-filtered inventory list of digital trust assets associated with it.