This evening, the Let's Encrypt certificate authority issued its hundred millionth digital certificate. This is a remarkable milestone in just a year and a half of public operation; Let's Encrypt is likely now either the largest or second-largest public CA by volume of certificates issued.

Let's Encrypt was created by Mozilla, the University of Michigan, and EFF, with Cisco and Akamai as founding sponsors, and is operated by the Internet Security Research Group, a non-profit organization. (See also the thoughts of Josh Aas, ISRG's executive director, on reaching this milestone.)

Free certificates from Let's Encrypt allow web sites to offer secure HTTPS connections to their users, protecting the privacy and security of those connections against many network-based threats. EFF continues to help develop the Boulder software that Let's Encrypt uses internally, as well as Certbot, Let's Encrypt's recommended software for obtaining and installing certificates on web servers.

For various reasons, the hundred-million mark does not mean that a hundred million different sites use Let's Encrypt certificates1. The number of web sites protected by Let's Encrypt is probably between 17 million and 46 million, depending on what definition of a "web site" we use2. It's hard to say with certainty whether Let's Encrypt has issued the largest number of certificates because CAs are not currently required to disclose the certificates they issue, but Let's Encrypt does so voluntarily. And the number of sites protected by Let's Encrypt will continue to grow rapidly as more and more hosting providers and server software offer convenient Let's Encrypt support to help bring HTTPS to sites that didn't have it before.

We're extremely proud of the contribution that we've made and continue to make in making the web safer for its users.

We'd also like to acknowledge Let's Encrypt's awesome operations team, which has kept a popular high-security service working and growing to meet demand, including at times when over a million certificates were issued in a single day.

  • 1. Let's Encrypt certificates expire and must be replaced after 90 days; multiple certificates may be issued for the same web site during the same time period; certificates can protect Internet services other than web sites; and not all certificates that have been issued actually get used or remain in use for the lifetime of the certificate.
  • 2. For example, do we count https://www.google.com/, https://google.com/, and https://images.google.com/, as one, two, or three web sites?