 |
 |
In my experience, it has become very easy to setup renewal. It has gotten easier with every release. Cary On Mon, Jun 19, 2017 at 7:55 AM Kyle Breneman <[log in to unmask]> wrote: > Thanks for chiming in, Kyle. I think, in your second-to-last sentence, you > were about to say "impossible." Is that right? Also is it difficult to > setup automatic certificate renewal? For the record, I'm not trying to > bypass any organizational processes here, just doing some legwork in hopes > of handing campus IT a suggestion that will save them money. > > Kyle > > On Mon, Jun 19, 2017 at 9:51 AM, Kyle Banerjee <[log in to unmask]> > wrote: > > > There are a few other catches. For example, you need to be able to run an > > appropriate ACME client and set up automatic certificate renewal since > the > > maximum length you can get is 90 days. You also can't get wildcard > > certificates which makes doing things like proxying by host name (e.g. > > ezproxy). Your organization might also care if you bypass their process > for > > getting domain names. > > > > kyle > > > > On Mon, Jun 19, 2017 at 5:41 AM, Jonathan Rochkind <[log in to unmask]> > > wrote: > > > > > Here's a thread about per-TLD rate limits being a problem for > > universities; > > > it seems per a post at the end of that thread that letsencrypt might > > exempt > > > your institution from ratelimits, but an official agent of the > university > > > needs to submit the request: > > > > > > https://community.letsencrypt.org/t/rate-limiting-at-an- > > > educational-institution/5910/24 > > > > > > > > > > > > On Mon, Jun 19, 2017 at 8:27 AM, Kyle Breneman < > [log in to unmask]> > > > wrote: > > > > > > > Thanks for that detailed and interesting reply, Jonathan. > > > > > > > > On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind < > [log in to unmask] > > > > > > > wrote: > > > > > > > > > Just to clarify, by "Commercial certificates offer stronger proof > of > > > > > identity", you mean an "Extended Validation" (EV) certificate. > > > > > https://en.wikipedia.org/wiki/Extended_Validation_Certificate > > > > > > > > > > If you are getting a 'commercial certificate' that is a standard > > > 'domain > > > > > validated' cert instead of an EV cert, you are not getting any > > stronger > > > > > proof of identity than you would from letsencrypt. > > > > > > > > > > The cert used at https://www.ubalt.edu does NOT appear to be an EV > > > cert, > > > > > but an ordinary domain validated one. (Additionally, that > particular > > > web > > > > > page serves http: images , triggering browser mixed content > > warnings!). > > > > > > > > > > Same thing for the cert at https://langsdale.ubalt.edu/. > > > > > > > > > > Looking at another Maryland public university: https://umd.edu/ > > > appears > > > > > similar. NOT an EV cert, and additionally serving http assets > > > triggering > > > > a > > > > > mixed content warning. > > > > > > > > > > I'm actually having trouble finding an academic institution, or > even > > a > > > > > standard ecommerce site, that DOES use an EV cert. > > > > > > > > > > You can tell it's an EV cert when chrome or Firefox put the name of > > the > > > > > organization in the location bar to the left of URL. Additionally, > > in > > > > > Firefox, if you click that name, then click the right-chevron 'more > > > info' > > > > > icon, then click "More information", under "Website Identity" it > will > > > > list > > > > > an "Owner:" for an EV cert. For an ordinary domain-validated cert, > it > > > > will > > > > > list "This website does not supply ownership information" instead. > > > > > > > > > > Here's an example of an EV cert, the cert on digicert.com, a > seller > > of > > > > > certs: > > > > > > > > > > https://www.digicert.com/ > > > > > > > > > > If your cert is not EV but is just "domain validated", then despite > > it > > > > > being "commercial" it supplies the same level of proof of identity > > as a > > > > > letsencrypt cert -- proof of control of the domain at the time the > > cert > > > > was > > > > > issued, either way. > > > > > > > > > > > > > > > > > > > > On Sat, Jun 17, 2017 at 1:53 PM, Cary Gordon <[log in to unmask] > > > > > > wrote: > > > > > > > > > > > We are starting to roll out LetsEncrypt for all of our services > and > > > > > > clients who do not use or want commercial certificates. > > > > > > > > > > > > Note that LetsEncrypt offers only domain authentication, in most > > > cases > > > > > > specifically validated by your control of the server. Commercial > > > > > > certificates offer stronger proof of identity. > > > > > > > > > > > > We recommend commercial certificates for any sites that conduct > > > > financial > > > > > > transactions or require HIPPA compliance. > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Cary > > > > > > > > > > > > Cary Gordon > > > > > > The Cherry Hill Company > > > > > > http://chillco.com > > > > > > > > > > > > > > > > > > > On Jun 16, 2017, at 12:34 PM, Kyle Breneman (via lita-l Mailing > > > > List) < > > > > > > [log in to unmask]> wrote: > > > > > > > > > > > > > > Apologies for cross-posting... > > > > > > > > > > > > > > Anyone out there working at a public institution that's using > > Let's > > > > > > Encrypt for security certificates? I just suggested to our > campus > > IT > > > > > that > > > > > > we switch to using Let's Encrypt. They told me it would need to > > > clear > > > > > > State of Maryland approval process first, and suggested that it > > would > > > > be > > > > > > helpful to be able to point to other public institutions that are > > > using > > > > > it. > > > > > > > > > > > > > > Regards, > > > > > > > Kyle Breneman > > > > > > > Integrated Digital Services Librarian > > > > > > > University of Baltimore > > > > > > > > > > > > > > To maximize your use of LITA-L or to unsubscribe, see > > > > > > http://www.ala.org/lita/involve/email > > > > > > > > > > > > > > > > > > > > > -- Cary Gordon The Cherry Hill Company http://chillco.com