Cybersecurity, Let's Encrypt, Usage of the Let’s Encrypt SSL certificate service
The Let’s Encrypt service may be used as described below as an SSL certificate issuer for University of Illinois at Urbana-Champaign, University of Illinois at Springfield, and University Administration. The Chief Privacy and Security Officer reserves the right to re-evaluate and adjust its use from time to time to ensure the service does not present undue or unintended risk to or burden upon university interests.
Let's Encrypt is a SSL certificate management tool is approved for all evaluated risk levels (see the Cybersecurity Risk Level questionnaire at https://go.illinois.edu/risklevel) of university electronic functions requiring SSL certificates
Let's Encrypt Requirements
The Let’s Encrypt service may be used as described and restricted below as an SSL certificate issuer for University of Illinois at Urbana-Champaign, University of Illinois at Springfield, and University Administration. The Chief Privacy and Security Officer reserves the right to re-evaluate and adjust its use from time to time to ensure the service does not present undue or unintended risk to or burden upon university interests.1. All hosts issued a Let’s Encrypt SSL certificate must be assessed against the Privacy & Security Risk Level questionnaire.
a. It is inappropriate to use Let’s Encrypt on hosts or service that have not been evaluated; The Privacy & Security Risk Level questionnaire result for hosts must be calculated beforehand.2. Any host currently issued a Let’s Encrypt SSL certificate which remain unassessed must either:
a. Revoke all associated Let’s Encrypt SSL certificates and obtain a certificate through the University of Illinois at Urbana-Champaign SSL Certificate Manager.3. Only persons authorized to make changes to their unit’s illinois.edu DNS zone may use Let’s Encrypt for hosts in their zone.
b. Immediately assess the service or solution against the Privacy & Security Risk Level questionnaire
a. It is inappropriate to use Let’s Encrypt to issue official certificates for BYOD, unmanaged, personal, or non-UofI assets.5. All campus policies, standards, provisions, and direction still apply when employing any Let’s Encrypt feature or service.
a. Should any incident or event occur requiring immediate certificate modification or revocation (including instances where the usage expectations and/or controls herein have been violated), due to the inability for the university to manage Let’s Encrypt SSL certificates, other network-level mitigations may be imposed to mitigate exposures, risks, disruptions, or damage on an as-needed basis. Mitigations may be disruptive and will probably affect availability, stability, or utility of affected hosts.
FAQWhat is “Let’s Encrypt”?
Let’s Encrypt is a cloud-based free, automated, open certificate authority (CA) service that issues Secure Socket Layer (SSL) certificates. It is used primarily to normalize and extend the use of HTTPS for web applications. It is delivered by the Internet Security Research Group (ISRG), based in California, U.S.A. See https://letsencrypt.org/
What are the Advantages and disadvantages of “Let’s Encrypt”?
- Low cost (free)
- Short duration (90 days)
- Ease of use (including its ACME API).
- Cannot be administered, managed, modified, or revoked directly by campus SSL Certificate service admins.
- On-campus remediation during an incident could very possibly be disruptive to any affected service using a Let's Encrypt SSL certificate.