What are /r/ssl's favorite Products & Services?

From 3.5 billion Reddit comments

The R3 Cert expired, the one that signed yours, so you need to do a renewal to get the new CA signature:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Let's Encrypt is usually setup in a way to automate the renewal of the certificates because of their shorter lifespans. Depending on your hosting environment, how you do it is going to vary a little bit.

If you're going to set up your own mail server (which is generally not recommended, because there's a lot that can be done wrong), you should look into Let's Encrypt which will provide you with a free certificate.

Also, it was just announced an hour ago that you can purchase and use a dedicated certificate without having to upgrade to a Biz account. Details can be found here:

https://www.cloudflare.com/ssl/dedicated-certificates/

Interesting I haven't heard much of 3072-bit keys, only 1024/2048/4096. 2048 is the standard and by far most common. 2048 is going to have better compatibility and less CPU usage. It depends on what your clients are like and what you want to cater to. With certificate compatibility/strength there is a trade off, and you need to decide which is more important. I would love to hear some other responses on this issue.

A few links stating that there are benefits but they are not worth it most of the time:

http://danielpocock.com/rsa-key-sizes-2048-or-4096-bits

https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096

The very last paragraph mentions LetsEncrypt (I'm still hoping they make it simple to submit a CSR instead of using their software). It should work with other CA's certificates; it's just step 2 that's rather StartCom-specific. The rest should be the same.

Edit: I have clarified (in the opening paragraph) that certs from other CA's should work fine too.

This is occasionally seen in the free software community.

The idea is that HTTPS gives you a false sense of security. It gets rid of the MITM problem, but it doesn't get rid of the hacked web server problem, which has happened. Signing the files with a key that's backed by the web of trust, on a machine that isn't web facing, provides much greater assurance that it's the file that the legitimate operator of the site means to provide.

In practice though I doubt many people actually verify the signatures, so it just adds the MITM attack risk.

That root certificate expired in September 2021. For some reason the laptop is still trying to use it. Ensure the laptop hasn't cached an old copy of your websites certificate.

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.

The key principles behind Let’s Encrypt are:

Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal. Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers. Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect. Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt. Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

https://letsencrypt.org