What Let's Encrypt is
Let's Encrypt is a free, automated, open certificate authority operated by the Internet Security Research Group (ISRG), a nonprofit. It issues Domain Validation (DV) certificates only — it verifies that you control the domain, not who you are as an organization. Certificates have a 90-day validity period by design.
The ACME protocol (RFC 8555) is the standard interface for automated certificate issuance and renewal. Let's Encrypt supports two challenge types: HTTP-01 (place a token at a well-known URL on the domain) and DNS-01 (place a TXT record in the domain's DNS). DNS-01 is required for wildcard certificates (*.example.com) and for issuance when the server is not publicly reachable. HTTP-01 is simpler and supported by almost every ACME client.
Every Let's Encrypt certificate is logged to multiple CT logs before delivery. Issuance is subject to rate limits (50 certificates per registered domain per week), which are rarely a concern for typical deployments but matter for large-scale automation.
What commercial CAs offer
Commercial CAs (DigiCert, Sectigo, GlobalSign, Entrust, and others) offer the same DV certificates as Let's Encrypt plus two additional validation tiers:
- Organization Validation (OV) — the CA verifies the legal existence of the organization via business registry checks, phone verification, and document review. The organization's name appears in the certificate's Subject field. OV costs $50–$300/year depending on provider and volume.
- Extended Validation (EV) — a more rigorous vetting process with stricter identity verification requirements defined by the CA/Browser Forum. EV was historically displayed with a green address bar and the organization's name prominently shown. Major browsers removed the prominent EV UI in 2019, significantly reducing its visible differentiation from OV.
Commercial CAs also offer multi-year purchase options, wildcard certificates without requiring DNS-01 (using OV or EV vetting instead), SLA guarantees on issuance and revocation, dedicated support contracts, and compatibility warranties (financial indemnification if a certificate is mis-issued).
Trust: are they equivalent?
For DV certificates, browser trust is equivalent. A DV certificate from Let's Encrypt and a DV certificate from DigiCert provide the same cryptographic guarantee to the browser: the domain name in the certificate matches the domain the browser is connecting to, and the certificate was issued by a CA in the browser's trust store.
Neither a DV certificate from LE nor from a commercial CA proves anything about who operates the website, the legal identity of the organization, or the legitimacy of the service. That information is not part of DV — it is the purpose of OV and EV.
OV and EV certificates include verified organization data (legal name, country, sometimes jurisdiction). This information is in the certificate and can be inspected, but browsers do not surface it prominently anymore. Some enterprise security tools, EDR products, and firewall deep-packet inspection rulesets do differentiate on OV/EV. For human-facing trust signals, the practical difference today is minimal for most web applications.
Legacy client compatibility is occasionally raised as a reason to prefer commercial CAs. Let's Encrypt's root certificates (ISRG Root X1 and X2) are widely trusted, but very old systems (Android < 7.1, older embedded devices) may not have ISRG Root X1. LE addressed this via a cross-signature with IdenTrust DST Root CA X3 (now expired) and currently chains to ISRG Root X1. If you have evidence of clients on these very old platforms, test compatibility before assuming LE will work.
Automation: the great equalizer
ACME is no longer exclusive to Let's Encrypt. ZeroSSL, Buypass, and several commercial CAs including DigiCert and Sectigo now support ACME for automated issuance. This means the automation benefits of LE are achievable with a commercial CA if needed.
The 90-day certificate lifetime is often cited as a drawback of Let's Encrypt. In practice, it is a forcing function for automation. Organizations that successfully automate renewal for 90-day certs are more resilient than those manually managing 1-year or 2-year certs — manual processes fail silently, and an expired cert is discovered by users, not by the operations team.
The argument "we need longer certs to avoid frequent renewals" is only valid without automation. With a working ACME client (Certbot, acme.sh, cert-manager in Kubernetes, Caddy's built-in ACME), renewal is fully automatic. The operational burden of a 90-day cert with automation is lower than a 1-year cert managed manually.
The CAB Forum voted in 2023 to move toward 90-day maximum certificate lifetimes as a baseline requirement, and further discussion targets 47-day certificates. Commercial CAs will be required to support this. Organizations invested in manual certificate management are facing a forced migration to automation regardless of CA choice.
When to choose Let's Encrypt
Let's Encrypt is the correct choice for the vast majority of use cases:
- Public-facing websites, APIs, and web applications where DV trust is sufficient
- Internal services where you can use DNS-01 challenge
- Developer tooling, staging environments, and non-production infrastructure
- Any deployment where ACME automation is feasible
- Cost-conscious environments — "free" eliminates certificate budget discussions entirely
- High-volume automation (hundreds or thousands of certificates) — LE rate limits accommodate significant scale at zero cost
When to choose a commercial CA
Commercial CAs are justified in specific circumstances:
- Legacy systems that do not support ACME — some older load balancers, appliances, and enterprise software require manual certificate installation. If automation is not feasible, longer-lived commercial certs reduce operational overhead.
- OV or EV requirements — regulated industries, government contracts, or enterprise sales processes may require OV or EV certificates to satisfy compliance requirements or procurement criteria. LE does not issue OV or EV.
- Support SLA requirements — if your certificate issuance process needs a contractual SLA with a named support contact, commercial CAs provide this. LE does not offer support contracts.
- Code signing certificates — Let's Encrypt does not issue code signing certificates. These require a commercial CA, typically Sectigo or DigiCert, with OV or EV vetting.
- S/MIME email certificates — LE does not issue S/MIME certificates for email signing and encryption. These require a separate CA.
- Multi-year budget commitments — some organizations prepay multi-year certificates for budget predictability. This is an organizational constraint, not a technical one.
The certificate lifetime trend
The industry is converging on shorter certificate lifetimes. The CAB Forum's "Shifting Gears" proposal targets a maximum of 47 days for TLS certificates within the next few years. The security rationale is sound: shorter lifetimes limit the window during which a compromised private key or a mis-issued certificate can be exploited before automatic replacement occurs. Revocation has historically been unreliable (OCSP soft-fail, CRL caching), and short-lived certs are a more robust substitute for revocation checks.
For organizations still on manually managed multi-year certificates, the direction of travel is clear: automation is not optional in the medium term. Investing in ACME automation now — whether with LE or a commercial CA — is the technically sound choice regardless of the CA selected.