Abstract
There’s a particular flavor of skepticism that shows up whenever someone suggests using Let’s Encrypt. The security team crosses their arms. “Free certificates? For production? We’re a serious organization. We use Sectigo.”
I get it. You’ve been buying certificates from the same vendors for twenty years. They send you invoices, you pay them, certificates appear. It feels responsible, and free feels like a trap.
But is it?
What is Let’s Encrypt?
Let’s Encrypt is a certificate authority operated by the Internet Security Research Group, a 501(c)(3) nonprofit founded in 2013 by engineers from Mozilla. They started issuing certificates in 2015 and by 2026 holds 60% market share. Internet infrastructure like Cloudflare, Github, and Mozilla use Let’s Encrypt.
You’re not paying for better encryption
A free Let’s Encrypt certificate uses the same encryption as that $500 Extended Validation certificate. The only difference is the paperwork that you are who you say you are. Domain Validation (DV) certificates only verify you control the domain, but it turns out that’s all anyone really cares about.
Organization Validation (OV) verifies your business exists. Extended Validation (EV) adds sixteen additional identity checks. That sounds important until you learn that EV and OV certificates haven’t mattered in over five years.
Chrome killed the green address bar in 2018 and removed company names entirely in 2019. Safari and Firefox followed. Google’s security team published research showing users didn’t make safer choices when EV indicators were present. So they got rid of them.
Amazon, Netflix, eBay, Target, and Walmart all use standard DV certificates. These companies have unlimited security budgets. They chose DV anyway because the other stuff doesn’t actually matter.
Let’s Encrypt is more sustainable than your CA
“But what happens when the free CA goes away? At least DigiCert will be around.”
Will they?
DigiCert is owned by Clearlake Capital, Sectigo is owned by GI Partners. Private equity ownership means the company exists to generate returns for investors. Deliver a locked-in service as cheaply as possible until you’ve extracted every penny from it. Ask Toys ‘R Us how that goes.
Let’s Encrypt, on the other hand, is funded by donations from organizations that depend on the CA ecosystem remaining competitive. Their 2024 financials show $9.56 million in revenue, $5.1 million in net assets, and 27 employees running infrastructure for 762 million websites. Sponsors include Google, Amazon Web Services, Mozilla, EFF, Cisco, IBM, and Shopify.
These sponsors need Let’s Encrypt to exist. A free CA with 60% market share gives them leverage against commercial certificate pricing. Google and AWS aren’t funding Let’s Encrypt out of charity. They’re funding it because the alternative is letting DigiCert and Sectigo set prices and dictate technology requirements.
That’s more sustainable than private equity.
The commercial CAs have the worse track record
Let’s Encrypt has operated since 2015 with no security breaches of CA infrastructure. In 2020, they discovered a bug in their CAA checking code that affected about 3 million certificates. They disclosed it immediately, patched it within hours, and began revocations within days. Their 90-day certificate lifetime meant all remaining affected certificates expired naturally within weeks.
Compare that to the commercial CAs.
In July 2024, DigiCert discovered they’d been issuing certificates with improper domain validation for five years. A missing underscore prefix in their verification system. They gave customers 24 hours to replace 83,000 certificates. CISA issued an emergency alert. Critical infrastructure operators couldn’t meet the deadline. Some customers sued.
That same year, Google, Apple, and Mozilla all announced they would stop trusting certificates from Entrust, one of the oldest commercial CAs. Google cited “a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress” over six years. Entrust had delayed revocations, missed deadlines, and failed to meet the standards every CA agrees to follow.
The free nonprofit CA has a cleaner record than the paid alternatives.
When paying actually makes sense
I’m not going to pretend there’s never a reason to buy certificates.
There are some banking and healthcare compliance requirements that dictate OV and EV certificates.
Or maybe you need contractual Service Level Agreements. If your procurement department requires a vendor agreement with guaranteed uptime commitments, Let’s Encrypt won’t sign one.
Or maybe you require a phone number for support. Let’s Encrypt won’t do that either, it just a support forum.
But maybe you should push back on that. In 2026, certificates are a standardized commodity. You don’t need a contract SLA from Lowes to buy a lightbulb. You don’t need to call McDonalds to debug your hamburger. If something’s wrong with your certificate, just generate a new one.
The question you should actually be asking
The objection to Let’s Encrypt usually comes down to “free feels risky.” But the evidence points the other way. They issue 60% of certificates, including ones at companies that sell you security tools.
The real question isn’t whether Let’s Encrypt is good enough for your organization. It’s whether your objections are based on current evidence or just institutional habit.
CertKit automates certificate lifecycle management so you can stop thinking about SSL certificates entirely.
Comments