Including Let’s Encrypt signing certificate in OSG CA bundle

Note

This procedure has been added on April 26th, 2018 as part of the OSG Service Migration Plan (see references below)

As a part of the Service Migration Plan, we will be adding the Let’s Encrypt root certificate to the OSG CA certificate bundle. The OSG has traditionally included a handful of CAs in addition to the IGTF-Classic Certificate Authorities (CAs) for signing host certificates. These CAs often rely on manual, multi-step processes for signing certificates that add administrative overhead. Many modern operational environments would like to spin up hosts in response to changing user demand but the manual process often proves to be too slow for certificate procurement and revocation. Let’s Encrypt is an automated CA system that relies on a FQDN’s authoritative DNS records to identify and confirm a host’s identity. Let’s Encrypt also provides short-lived certificates in a secure manner with a minimum of overhead and automated renewal.

Unlike the IGTF-Classic CAs, certificates from Let’s Encrypt will be recognized by your browser and OS by default.

Let’s Encrypt, however, does not confirm the organization that is running the host in the same manner as the IGTF-Classic CAs; we believe the additional IGTF checks are redundant with the registration and service discovery steps done on the OSG. OSG has separate registration procedures for services on the OSG that verifies the organizations; no access is given solely based on the possession of a host certificate. For more details please consult the OSG Information Security Officer's position paper on the Let's Encrypt CA for Host Certificate Signing.

This is the upcoming change likely to be most relevant to security contacts during the migration. For more details on the migration plan please consult the Service Migration Plan document.