SYSTEM Cited by 1 source
Let's Encrypt¶
Let's Encrypt is a nonprofit public certificate authority (CA) run by the Internet Security Research Group (ISRG). It issues free, short-lived, domain-validated SSL/TLS certificates via an automated protocol (ACME) and is one of the most widely trusted public CAs in the world — "a nonprofit CA run by the Internet Security Research Group (ISRG), which has issued certificates for more than 300 million websites to date" (Source: sources/2026-04-21-planetscale-supports-notes-from-the-field).
Role in managed-service TLS¶
Managed-service vendors that terminate TLS on behalf of customers (databases, APIs, CDNs) routinely use Let's Encrypt as their serving CA because (a) it is pre-trusted by every modern OS and browser, (b) issuance and renewal are fully automated via ACME, and (c) cost is zero. The pre-trust property is load-bearing: clients with a stock public-CA trust store validate the chain without configuration, so the managed service "just works" for the majority of traffic.
The ISRG Root X1 anchor¶
The root certificate is named ISRG Root X1. It is the trust anchor that all Let's Encrypt leaf certificates chain to, and it is the PEM users need to obtain when a peer (a third-party tool, an embedded device, a legacy driver) ships without a stock trust store. Let's Encrypt publishes the PEM at https://letsencrypt.org/certificates/.
Seen in¶
- sources/2026-04-21-planetscale-supports-notes-from-the-field — PlanetScale's serving certificate is issued by Let's Encrypt. Canonical wiki disclosure. Third-party tools (Google Data Studio / Looker Studio, Retool) that don't ship the public-CA trust store connect to PlanetScale by pasting the ISRG Root X1 PEM into the tool's CA Cert field (the CA-bundled cert for tool trust pattern). The post inlines the full PEM for copy-paste convenience and warns users that if PlanetScale ever changes CA, the uploaded bundle will need to be updated in each tool.
Operational properties¶
- Validity: 90 days (short-lived by design).
- Automation protocol: ACME; clients like Certbot, acme.sh, cloud-provider ACME integrations manage renewal.
- Pre-trust: bundled in modern OS + browser CA trust stores
(macOS/iOS, Windows, Android, major Linux distributions,
Firefox/Chrome/Safari/Edge). Legacy embedded devices and
minimal containers (Alpine without
ca-certificates) may lack trust and require explicit bundle install. - Rate limits: public documentation caps issuance per domain and per-account to prevent abuse; enterprise-scale deployments request higher limits.