Let's Encrypt!
So you have a nice personal website that you use to let your friends and family download needful files from your homelab at home. You set it up with the web server (Apache, NGINX and what have you) but then your friends complain that they are getting disturbing messages from their web browser. Are you legit?
This is the Secure Socket Layer (SSL) rearing its ugly head. You need to be certified, my friend. The vague, yet menacing government agency wants to know if you are who you say you are. Luckily, there is a nonprofit organisation called the Internet Security Research Group who have a product called Let's Encrypt that can help you with this.
Cryptographic interlude
A cypher in crypto-land is a method of turning a readable message into an unreadable mess and (importantly) back. There are many ways of doing this. They mostly work with a key. (A key in crypto-land is usually a very long list of hexadecimal numbers). You take your plaintext message and your key, pipe them both into your cypher, and out comes the cyphertext. You send the cyphertext to your friend, and your friend will pipe the cyphertext and the key into the cypher, and out comes the plaintext message.
So the first problem you run into here is key management. How will you know which key to use? You could put it on a piece of paper, meet your friend in a secluded spot under a certain bridge, and pass the note. That works. But what if your friend can't make it to the bridge? What if it is a friend you haven't met yet? You can't send the key in the mail, someone might steam it open and then they will have your key and can read all your secrets.
Enter the asymmetric cypher. In the previous example, you used the same key both to lock and unlock the message. In an asymmetric cypher you have two keys. If you lock a message with one key, you can only unlock it with the other. One key you will keep private, the other you will make public. You put up a billboard with your public key and the message "Hi! I am example.com, and if you have something secret to tell me, you can encrypt it with this key and only I, the real example.com, can read it." This serves confidentiality. You can whisper things to your friend. The other way your friend can use this is to prove to you who they are. Your friend will put on another billboard saying: "I have encrypted this unreadable mess with my private key, and this is the public key that goes with it. If you decrypt it, it should say: This is indeed the message from example.com." This serves authentication. This kind of message is sometime called a certificate.
You will have spotted the problem with this. What if your mortal enemy also puts up a billboard saying: "Do not believe that billboard! I am the real example.com, and here is my key to prove it!" How will you tell the real example.com from the false example.com?
That is where a certificate comes in. A certificate does not come from you or your friend, it comes from another party called a Certificate Authority. The certificate authority will take your key, sign it, and then hand it back to you. Large certificate authorities include Google Trust Services, Digicert, Secure Trust Corporation and other companies with "Secure", "Trust", and "Honest Guv" in their names. And also... Let's Encrypt. It's important to know that anyone can be a Certificate Authority. Even you yourself. You can create the needed keys for a certificate authority on your own computers, install them inside your own web browsers and other software, and then your website will be trusted by those programs on your computer. These self signed certificates are used widely in test environments that never see the light of the Internet. The crucial part is that you have to decide to trust that certificate and stick it in your browser. Your browser will come with a bunch of well known certificates already installed.
So now we want to join in on the fun and join the ranks of Verified Webpages. How to do this? Well... this is what Let's Encrypt is there for.
What Let's Encrypt does
Let's Encrypt of course have a page explaining exactly how it works.