The Digital Transformation Agency has automated the process of issuing and renewing website security certificates for its many websites by using certificate authority Let’s Encrypt.
The agency used the upcoming Google Chrome web browser update that will mark all HTTP sites ‘not secure’ as an opportunity to improve how it managed security certificates.
The update is aimed at stamping out unencrypted web connections by prompting site owners to switch to HTTPS, which encrypts data in transit to prevent access by attackers.
Ahead of the July update to Chrome, the DTA has settled on Let’s Encrypt – a free certificate authority run by the Internet Security Research Group – to provide domain validated certificates for all of its sites.
Site reliability engineer Adam Eijdenberg said in a blog post that all 150 existing applications that run on cloud.gov.au "support secure HTTPS connections and actively redirect HTTP requests to the secure equivalent."
But he saw opportunities to get "better at how we launch sites, and issue and renew website security certificates".
"Automatic issuing and renewal is an important criteria for us given we practise infrastructure as code techniques and manage many sites," he said.
"We found a protocol we can use to automate how certificates are verified and issued which is the Internet Engineering Task Force’s (IETF's) draft Automatic Certificate Management Environment (ACME).
"At the time of writing Let’s Encrypt is the only service that supports this relatively new protocol and we hope others will follow.
“We were able to install an ACME client in our stack so that certificates are automatically provisioned, renewed, tested, deployed and served by our platform.”
The agency is also using Amazon Certificate Manager for the “handful of wildcard certificates for some internal facing components”.
However, Eijdenberg noted that "since we started using their service, Let’s Encrypt have announced they support automatic provisioning of wildcard certificates."