When to Choose a Free SSL/TLS Certificate (Like Let’s Encrypt) vs. a Paid Certificate Authority: What You Need to Know

 

Contents:

• Free vs. Paid-for SSL/TLS Certificates
• Caveats when using Let’s Encrypt
• Other certificate use cases

In today’s digital world, securing websites with SSL/TLS certificates is essential. Browsers and search engines penalise unsecured sites, and users rightly feel more comfortable when they see the padlock symbol in the address bar. However, not all SSL/TLS certificates are created equal. There are both free and paid options available, each serving different purposes and fitting distinct needs. As a paid certificate authority (CA), we offer a variety of premium SSL/TLS certificates, but we also recognise the valuable role that free certificates from providers like Let’s Encrypt can play. Here, we’ll explore when and why you might choose a free SSL certificate over a paid one and the key factors to consider when implementing free options like Let’s Encrypt.

Why Use SSL/TLS at All?

SSL/TLS certificates encrypt the data transmitted between a website (or other protected service) and its users, protecting sensitive information like passwords, personal details, and payment information. Beyond security, SSL/TLS helps with:

• Establishing Trust: It signals to users that their connection to the website is secure.
• Search Engine Optimisation (SEO): Google and other search engines are known to prioritise secure sites in their rankings.
• Compliance: Many regulations, such as GDPR, recommend or require the use of encryption for handling personal data.

With these benefits in mind, let’s dive into the considerations for choosing between free and paid-for SSL/TLS certificates.

When a free certificate like Let’s Encrypt is a good fit

Let’s Encrypt is an excellent choice in certain cases, particularly for smaller websites with basic security needs. Here are some situations where a free certificate could be ideal:

1. Personal Projects or Non-Commercial Sites: If you’re running a personal blog, portfolio, or non-profit site with no e-commerce or sensitive data, a free certificate from Let’s Encrypt can be a great, cost-effective solution.
2. Small Businesses with Basic Websites: For local businesses with straightforward websites and limited budgets, Let’s Encrypt provides essential SSL/TLS coverage at no cost.
3. Short-Term Projects: If you’re launching a website for a limited-time event or project, a free certificate can be convenient and practical.
4. Development or ancillary systems: Let’s Encrypt provided certificates may be appropriate where a website or service is not intended for public use and doesn’t have a high risk factor associated with it.
5. Outsourced providers: Let’s Encrypt and tools such as certbot are widely available, and this has allowed some outsourced web site providers to seamlessly utilise Let’s Encrypt in preference to certificates from paid providers.

When a paid SSL/TLS Certificate is the better option

Paid SSL/TLS certificates come with added benefits, validation levels, and support that go beyond what a free option like Let’s Encrypt can provide. Here’s when you should consider investing in a paid certificate:

1. Extended Validation (EV) Requirements: Organisations that want the highest level of trust and validation may need an EV SSL certificate, which is available only through paid certificate authorities. In some browsers, EV certificates display the organisation’s name in the address bar, adding an extra layer of trust for customers, especially for e-commerce and banking websites.
2. Wildcard and Multi-Domain Coverage: Paid CAs offer more flexibility with wildcard and multi-domain certificates that Let’s Encrypt does not fully support. If you need to secure multiple subdomains or several domains under a single certificate, paid options make this easier to manage.
3. Longer Renewal Periods: While Let’s Encrypt certificates must be renewed every 90 days, paid certificates can last up to a year, reducing maintenance efforts.
4. Warranty and Support: Paid SSL/TLS certificates often come with a warranty, which protects your organisation in the unlikely event of a breach caused by a flaw in the certificate or the certificate being wrongly issued. Additionally, paid providers usually offer technical support, which can be invaluable when dealing with installation issues or troubleshooting.
5. Regulatory and Compliance Standards: Some use-cases come with specific requirements around data handling and may have stringent compliance requirements that recommend or require OV (Organisation Validation) or EV certificates, which provide an added layer of organisational vetting.

Key Considerations for Using Let’s Encrypt

If Let’s Encrypt seems like a suitable fit, there are a few prerequisites and best practices to keep in mind:

1. Rate limits: The Let’s Encrypt service imposes strict rate limits to protect the free service around various metrics such as account registrations, certificate issuance. Some of these limits apply to a domain rather than a name within that domain (eg A request for test.example.ac.uk contributes to the limit for example.ac.uk). Full details are available at https://letsencrypt.org/docs/rate-limits/.
2. Backup and Monitoring: Since Let’s Encrypt certificates renew frequently, it’s important to have monitoring in place to ensure the certificate remains valid and automatically renewed. Downtime due to an expired certificate can impact both user trust and SEO rankings.
3. Automatic Renewal Setup: Let’s Encrypt certificates expire every 90 days, so setting up automatic renewal is essential to avoid lapses in coverage. Tools like Certbot simplify this process by automating both the installation and renewal of certificates.
4. Basic Security Knowledge: Let’s Encrypt offers Domain Validation (DV) certificates, which only confirm control over the domain. This validation level is sufficient for encryption but doesn’t verify the organisation’s identity, as OV and EV certificates do. This is important for website owners to understand when considering the level of assurance they want to provide their users.
5. Server Configuration Compatibility: Ensure your server environment is compatible with Let’s Encrypt and its ACME protocol, which enables automated certificate issuance and renewal. Common servers like Apache and Nginx are well-supported, but some specialised setups might require additional work.
6. Understanding Limitations: While Let’s Encrypt is a convenient, cost-effective solution, it has limitations in terms of validation, coverage, and support. For instance, if you need a wildcard certificate or multi-domain support, you’ll need to review Let’s Encrypt’s specific offerings or consider a paid certificate.

Summary: Free vs. Paid-for SSL/TLS Certificates

While Let’s Encrypt and other free certificate providers have made basic SSL/TLS accessible, there are clear advantages to paid-for certificates that are crucial for business-critical, high-trust, or multi-domain websites. Here’s a quick recap:

Feature	Let’s Encrypt (Free)	Paid Certificate Authorities
Validation Level	Domain Validation (DV) only	DV, OV, EV (including company info)
Renewal Period	90 days (automatic renewal recommended)	Up to 1 year
Support for Wildcard and Multi-Domain	Limited	Broad, flexible options
Warranty and Technical Support	No	Yes, often includes warranty
Browser Trust Indicator	Padlock only	Padlock + EV name for EV certificates

In summary, Let’s Encrypt provides valuable, basic SSL/TLS coverage that serves many websites well, especially those with standard security needs. But for businesses and organisations handling sensitive data, prioritising customer trust, or managing large, multi-domain environments, a paid-for certificate can provide the added benefits and flexibility that a free option cannot match.

Whether you’re considering Let’s Encrypt or a premium SSL/TLS certificate, the choice should be based on your website’s needs, the security level you want to offer your users, and the resources you can dedicate to SSL/TLS management.

Caveats when using Let’s Encrypt for certain deployment scenarios

The ACME (Automated Certificate Management Environment) protocol, used for automating SSL/TLS certificate issuance, faces several challenges in edge cases, when using the HTTP-01 or DNS-01 challenge types.

The automated challenge is used to prove to the Certificate Authority (CA) that the requestor is in control of the relevant domain name(s). When a signing request is received, the CA will challenge the requestor to publish a random value that the CA can then securely verify. More details about challenge types are available at https://letsencrypt.org/docs/challenge-types

ACME HTTP-01 Challenge

This is the default challenge for most situations. It requires the requestor to publish a random value from the CA at a “well known” location (at http://www.example.ac.uk/.well-known/acme-challenge/<TOKEN>). While this is a simple and accessible option for many deployment scenarios, it has some draw backs:

• Network Accessibility: The server needs to be publicly accessible, which can be problematic with strict firewall rules or NAT configurations
• Dynamic IPs: Frequent changes in IP addresses can disrupt the validation process
• Complex Infrastructures: Clusters, load balancers and reverse proxies can complicate serving the challenge file correctly

ACME DNS-01 Challenge

Similar to the HTTP challenge, this is solved by the requestor publishing the random value within their Domain Name System (DNS) zone (eg _acme-challenge.www.example.ac.uk). This can mitigate some of the issues with the HTTP challenge but brings its own hurdles.

• DNS Propagation: Delays in DNS record updates can hinder timely validation
• Dynamic DNS (DDNS, RFC2136 or others): Frequent Dynamic DNS updates can cause inconsistencies, leading to validation failures
• Provider Limitations: Some DNS servers/providers may have API rate limits or lack support for automated updates, complicating the process

In summary, while ACME challenges are designed to streamline certificate management, some edge cases such as development or internal systems and DNS configurations can introduce significant difficulties. Ensuring stable and reliable network and DNS configurations is essential for successful validations.

Other certificate use cases

Most certificates are used for authenticating the server to a browser or other client. Two other use cases are currently in use.

S/MIME (Secure email)

S/MIME certificates are used for email encryption and digital signatures. Here are some options for obtaining them for free:

1.  Actalis: Actalis offers free S/MIME certificates for personal use, valid for one year.
2. Self-Signed Certificates: You can create your own S/MIME certificates for personal or internal-enterprise use. While these won’t be trusted by default in all email clients, they can be useful for internal or personal communications.

Code Signing certificates

Code Signing certificates may be required by a small number of people in some situations but they can be challenging due to compliance and security constraints. Here are some options and considerations:

1. Open Source Projects: Some organizations, like sigstore (https://docs.sigstore.dev/certificate_authority/overview/), provide free code signing services specifically for open-source projects. Sigstore aims to improve supply chain security by offering easy code signing and verification.
2. Microsoft Store: For individual developers, publishing apps through the Microsoft Store can be a cost-effective way to get code signing. While not entirely free, it is significantly cheaper than traditional code signing certificates.
3. Self-Signing: For internal use or testing, you can create self-signed certificates. However, these are not trusted by external users and are not suitable for public distribution.

And that’s a wrap! If this has been a helpful read, make sure to keep an eye out for further updates.

If you have any feedback or questions in the meantime, please contact the service desk via certificates@jisc.ac.uk