Security News > 2021 > February > Let’s Encrypt Gears Up to Replace 200M Certificates a Day

Let’s Encrypt Gears Up to Replace 200M Certificates a Day
2021-02-16 21:47

Let's Encrypt just announced an infrastructure makeover which means the open certificate authority is able to re-issue up to 200 million certificates in a 24-hour period, something the service said could be necessary in "Some of the worst scenarios."

The upgrade comes a year after Let's Encrypt was compromised by a Certificate Authority Authorization bug and was forced to revoke 3 million Transport Layer Security certificates on a single day, March 4, potentially leaving the sites behind them insecure or unavailable.

Josh Aas said in a recent blog post about the upgrade that the automated service issues about 2 million certificates every day.

"That's more than 150 million certificates covering more than 240 million domains. What if it had also been a more serious bug, requiring us to revoke and replace all certificates within 24 hours? That's the kind of worst-case scenario we need to be prepared for."

Let's Encrypt Upgraded RAM. The database, he said, is "At the heart of the service we offer." The Let's Encrypt database keeps track of all the certificates and accounts and, Aas explained, is "Write-heavy with plenty of reads as well."

On a day Let's Encrypt would need to re-issue 200 million certificates it would require its pair of Luna Hardware Security Modules at each data center to perform at least 600 million cryptographic signing operations in 24 hours - including an online certificate status protocol response for signature revocation; a certificate signature for replacements; and a response signature for the replacement- for each certificate.


News URL

https://threatpost.com/lets-encrypt-gears-up-to-replace-200m-certificates-a-day/164002/