Last updated on September 14, 2018.
Security is the top priority at FreeSSL.tech. We are happy to discuss how we implemented security precaution for our Let's Encrypt client.
1. The domain private key and CSR are generated using Webcrypto API in your browser. Your domain private key doesn't transmit over the internet, and our server never sees it. To maintain transparency, we haven't integrated the CSR generation app with the free SSL certificate generation form. You may download the CSR generation app on your computer and run locally with your favorite browser.
Moreover, if your web hosting server has an option to generate CSR, we recommend using that tool instead.
2. We save CSR in our database for future usage (renewal) only if the user wishes to do so.
3. The key pair that generated for your Let's Encrypt account, the kid (generated by the Let's Encrypt ACME V2 API), CSR, domains (CN and SAN), SSL certificate download URL, etc. all are protected with 2 steps of encryption. We encrypt these data not only for the database transaction but for session transaction too (when you are proceeding from one step to another step).
Encryption step 1: First encryption is Zend\Crypt\BlockCipher which uses OpenSSL encryption.
use Zend\Crypt\BlockCipher;
$encryption_key = "MySecretKey";
$csr = "YourCsrHere";
$blockCipher = BlockCipher::factory('openssl', array('algo' => 'aes'));
$blockCipher->setKey($encryption_key);
$csr_encrypted = $blockCipher->encrypt($csr);
Now when we need to decrypt the encrypted text we need to provide the same encryption key:
use Zend\Crypt\BlockCipher;
$encryption_key = "MySecretKey";
$blockCipher = BlockCipher::factory('openssl', array('algo' => 'aes'));
$blockCipher->setKey($encryption_key);
$csr = $blockCipher->decrypt($csr_encrypted);
Encryption step 2: To hide this encryption key used in the first step, we have encrypted the in-browser client using ionCube PHP Encoder 10. We have stored the encryption key offline on multiple devices.
So, even if a hacker manages to get into our server, he doesn't be able to decrypt your Let's Encrypt account key pair, kid, CSR, domains (CN and SAN), SSL certificate download URL, etc.
4. We have provided an option to change your Let's Encrypt account key pair (login required) any time with a single click.
5. We encrypt your password using Zend\Crypt\Password\Bcrypt.
6. All the forms are protected with CSRF token.