This article discusses the differences between SSL certificates provided by Let's Encrypt and those provided by traditional certificate providers.
The first thing most people notice is that Let's Encrypt certificates are free, this leads most people to the ultimate next question - why should I bother paying for one? (Also remember if you're not on an SNI enabled server you may need to pay for an IP address as well as a certificate).
Let's Encrypt provide basic SSL encryption, but they do provide encryption, so it depends on your reasons for requiring a secure certificate, if it's just to secure a contact form a Let's Encrypt certificate may be all you need, if it's something more involved you may want to consider purchasing a certificate from an established Certificate Authority.
Key differences between the two are:
- Extended validity: Let's Encrypt certificates are only valid for 90 days and must be renewed frequently (our cPanel implementation does this automatically for you). Most traditional SSL certificates are valid for at least one year.
- Warranty: Let's Encrypt certificates do not include a warranty, whereas traditional SSL certificates usually do.
- To view the full Let's Encrypt Subscriber Agreement, please visit https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf.
- For an example of a warranty from GlobalSign, please visit https://www.globalsign.com/en/repository/globalsign-warranty-policy.pdf.
- Support: Let's Encrypt does not have staff available to assist with creating or installing SSL certificates, where as a certificate authority will do.
- Customer vetting: Let's Encrypt uses basic domain-based vetting (the ACME protocol) to issue SSL certificates. Traditional CA providers use additional procedures (phone, email, domain or more) to help verify that customers actually are who they claim to be.
SSL certificate options: Let's Encrypt only offers domain-validated certificates (DV). If you need the extra security of an extended validation certificate (EV) for your site, you must purchase one from a traditional CA provider. Additionally, Let's Encrypt does not offer wildcard or multi-domain certificates.