A Brief History of TLS Certificates at Shopify

In this post, we’ll cover Shopify’s journey from manually provisioning TLS certificates to the fully automated system that supports over 1M businesses.

Charles Ng
7 min readadvanced
--
View Original

Overview

The article outlines Shopify's evolution in managing TLS certificates, detailing the transition from manual provisioning to a fully automated system that now serves over 1 million merchants. It highlights the challenges faced, solutions implemented, and the integration of Let’s Encrypt as a certificate authority.

What You'll Learn

1

How to automate TLS certificate provisioning using API calls

2

Why using Let’s Encrypt can reduce costs for TLS certificates

3

When to migrate TLS provisioning to a cloud provider

Prerequisites & Requirements

  • Understanding of TLS and certificate management concepts
  • Familiarity with API integration(optional)

Key Questions Answered

How did Shopify automate TLS certificate provisioning?
Shopify automated TLS certificate provisioning through its Notary system, which uses API calls to request certificates from the certificate authority, verify domain ownership, and deliver the certificate/private key pair. This automation also includes automatic renewals, significantly reducing manual labor and errors.
What challenges did Shopify face with manual TLS certificate provisioning?
Shopify faced several challenges with manual TLS certificate provisioning, including labor-intensive updates, the need for additional IP addresses for new certificates, and the complexity of managing multiple domains within a single certificate. These issues became unsustainable as the number of merchants grew.
What is the role of Let’s Encrypt in Shopify's TLS strategy?
Let’s Encrypt is a non-profit certificate authority that provides free TLS certificates. Shopify has transitioned to using Let’s Encrypt for most of its certificates, which has helped reduce costs and simplify the provisioning process, especially after the service launched in April 2016.
How did Shopify handle mixed content warnings on storefronts?
To resolve mixed content warnings, Shopify processed all shop themes to replace HTTP references with HTTPS. This ensured that all resources on the page were encrypted, thus providing a secure experience for users and eliminating browser warnings.

Key Statistics & Figures

Number of merchants supported by Shopify's TLS system
1M+
This figure represents the scale at which Shopify's automated TLS certificate provisioning system operates.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Backend
Nginx
Used as a load balancer and for serving dynamic content through scripting.
Backend
Openresty
Utilized to script nginx for dynamic TLS certificate loading.
Certificate Authority
Let’s Encrypt
Provides free TLS certificates for Shopify's merchants.

Key Actionable Insights

1
Implementing an automated TLS certificate provisioning system can significantly reduce the manual workload and errors associated with certificate management.
As seen in Shopify's journey, automating this process allowed for scalability and efficiency, especially as the number of merchants increased.
2
Migrating to a cloud provider for TLS management can simplify certificate handling and reduce maintenance overhead.
Shopify's move to cloud-managed certificates allowed for automatic renewals and eliminated storage concerns, making it a strategic choice for scaling operations.
3
Utilizing Let’s Encrypt can provide a cost-effective solution for obtaining TLS certificates.
By adopting Let’s Encrypt, Shopify was able to eliminate expenses associated with paid certificate authorities, which is particularly beneficial for businesses looking to optimize costs.

Common Pitfalls

1
Relying on manual certificate provisioning can lead to significant operational challenges as the number of domains increases.
This often results in labor-intensive processes, increased potential for errors, and difficulties in managing multiple certificates, which can hinder scalability.

Related Concepts

TLS Certificate Management
API Integration For Automation
Cloud Infrastructure For Scalability