Skip to main content

Let's Encrypt

Lets Encript Logo

What is Let's Encrypt?​

Let's Encrypt is a free, automated, and open certificate authority (CA) that provides SSL/TLS certificates to enable HTTPS on websites. Launched in 2016 by the Internet Security Research Group (ISRG), the project not only revolutionized how we obtain and manage digital certificates but also democratized access to HTTPS, making the web safer for everyone.

Key features:

  • Free: 100% no cost for DV (Domain Validated) certificates
  • Automated: Issuance and renewal via ACME protocol
  • Open: Open-source software and transparent processes
  • Secure: Trusted by all major browsers and operating systems
  • Simple: Fast and straightforward validation process

Let's Encrypt only issues certificates with a 90-day validity. The reason is to reduce the risk of compromised keys and encourage automated renewal via ACME. There is no paid, premium, or "special" option to extend this period.

If you need longer periods (1 year), you'll need to migrate to a commercial CA (e.g., DigiCert, GlobalSign). However, for 99% of cases, automation completely solves this.

How Does It Work?​

Let's Encrypt uses the ACME (Automatic Certificate Management Environment) protocol to automate certificate issuance and renewal. The process involves three main steps:

  1. Domain Control Validation - Prove that you control the domain
  2. Certificate Generation and Signing - Let's Encrypt issues the certificate
  3. Automatic Renewal - Renewal before expiration (90 days)

In step 1, there are 3 different methods to prove domain control (choose one):

MethodHow it worksWhen to use
HTTP-01Token on port 80Most common case
DNS-01TXT record in DNSWildcards, internal servers
TLS-ALPN-01TLS handshake on port 443Port 80 blocked

Steps 2 and 3 are identical regardless of the chosen method. See details of each method in the articles above.

When to Use?​

Ideal Use Cases​

Let's Encrypt is highly recommended for:

1. Production Websites and Web Applications​

  • Public websites: Blogs, portfolios, landing pages
  • E-commerce: Online stores (with caveats for EV certificates)
  • REST/GraphQL APIs: Secure communication between services
  • SaaS applications: Multi-tenant platforms

2. Development and Staging Environments​

  • Staging environments: Valid certificates at no cost
  • Integration testing: Simulate real production environment
  • CI/CD pipelines: Temporary certificates for testing

3. Modern Infrastructure​

  • Kubernetes/Docker: Certificates for Ingress controllers
  • Microservices: TLS between services (service mesh)
  • Load balancers: SSL/TLS termination on reverse proxies
  • CDN: Integration with Cloudflare, AWS CloudFront

4. Open Source and Educational Projects​

  • Documentation: GitHub Pages, Read the Docs
  • Personal projects: No cost for experimentation
  • Educational environments: Teaching HTTPS and PKI

Production Advantages​

Yes, it's definitely worth using in production!

  • Zero cost: Significant savings compared to commercial CAs
  • Complete automation: Reduces human error and operational overhead
  • Equivalent security: Same encryption as paid certificates
  • Universal trust: Trusted by 99%+ of browsers
  • Automatic renewal: Eliminates expiration risks
  • Generous rate limits: 50 certificates/domain/week

Cases Where Let's Encrypt Is Not Used​

Some companies need certificates with formal guarantees, contracted support, or corporate validation.

EV (Extended Validation) and OV (Organization Validation) Certificates​

Let's Encrypt only issues DV (Domain Validation) certificates, which only validate domain control. If you need organization validation, there are two types of commercial certificates:

OV - Organization Validation​

An intermediate certificate that validates both the domain and the organization that owns it:

  • What it validates: Domain + company data (registration number, legal name, address)
  • Process: CA manually verifies company documents
  • Issuance time: 1-3 days
  • Cost: $50-200/year
  • Displays in certificate: Company name, location, country
  • Typical use: Corporate websites, intranets, B2B portals
EV - Extended Validation​

A premium certificate with rigorous organization audit:

  • What it validates: Everything from OV + complete company audit
  • Process: Extensive verification of physical existence, legal ownership, requester's authority
  • Issuance time: 1-2 weeks
  • Cost: $150-1000/year
  • Displays in browser: Company name prominently (modern browsers removed the green bar)
  • Typical use: Banks, large e-commerce, financial institutions

Visual certificate comparison:

DV (Let's Encrypt):
  Common Name: example.com

OV (Commercial CA):
  Common Name: example.com
  Organization: Example Company LLC
  Locality: New York
  Country: US

EV (Premium Commercial CA):
  Common Name: example.com
  Organization: Example Bank Inc.
  Business Category: Private Organization
  Serial Number: 12-3456789
  Locality: New York
  Country: US

Important: The encryption is identical in all three types. The difference is only in the level of identity verification of the organization, not in connection security.

Let's Encrypt does not offer dedicated support, contractual SLA, or financial guarantees.

2. Environments where ACME is not allowed​

Some infrastructures don't allow automation or can't prove domain control as required:

  • Offline/air-gapped environments: Let's Encrypt requires public domain validation
  • Embedded equipment or IoT: Devices that cannot renew certificates every 90 days
  • Wildcard certificates with blocked DNS: To obtain wildcard certificates (*.domain.com), you must prove control through the DNS-01 challenge, which may not be possible in environments with restricted DNS or without automation

3. Certificates with specific parameters that Let's Encrypt doesn't offer​

Long-term certificates​

  • Let's Encrypt: Maximum of 90 days (fixed, no exceptions)
  • Commercial CAs: 1 to 2 years (some special cases up to 3 years)
  • When it matters: Legacy environments without automation or devices that cannot renew automatically

Large number of SANs (Subject Alternative Names)​

Subject Alternative Names allow a single certificate to cover multiple domains and subdomains:

Certificate with SANs:
  Common Name: example.com
  SANs:
    - example.com
    - www.example.com
    - api.example.com
    - admin.example.com
    - blog.example.com

Let's Encrypt limits:

  • Maximum of 100 SANs per certificate (technical limit)
  • Rate limit of 50 certificates/week per registered domain
  • For companies with hundreds of subdomains, this can be limiting

Example of a problematic scenario:

Company with 500 subdomains:
  - client1.saas.com
  - client2.saas.com
  - client3.saas.com
  ...
  - client500.saas.com

Would need 5 certificates (100 SANs each)
Better solution: wildcard certificate (*.saas.com)

Code Signing​

Certificates for digitally signing software, drivers, executables, and scripts, proving code authenticity and integrity.

Typical use:

  • Signing Windows executables (.exe, .msi, .dll)
  • Kernel drivers (mandatory on Windows)
  • macOS and iOS applications
  • PowerShell scripts
  • Browser extensions

Why Let's Encrypt doesn't offer it:

  • Requires rigorous validation of developer/company identity
  • Manual verification process (EV for code signing)
  • Legal liability for signed code
  • Official reference

S/MIME (Secure/Multipurpose Internet Mail Extensions)​

Certificates for signing and encrypting emails, ensuring sender authenticity and message confidentiality.

How it works:

Email signed with S/MIME:
  From: [email protected] (Verified ✓)
  Subject: Financial Report

  [Sender's digital signature]
  [Encrypted content - only recipient can read]

Benefits:

  • Authenticity: Recipient knows the email really came from you
  • Integrity: Detects if the message was altered in transit
  • Confidentiality: Encrypted content (only recipient can read)
  • Non-repudiation: Sender cannot deny having sent it

Typical use:

  • Sensitive corporate communications
  • Contracts and legal documents via email
  • Regulated sectors (healthcare, financial, government)
  • GDPR/CCPA compliance

Why Let's Encrypt doesn't offer it:

  • Requires personal or corporate identity validation
  • Manual process (cannot be fully automated)
  • User's private key management (not server's)

4. Companies requiring formal audit or internal PKI integration​

  • Corporate PKI: Organizations that operate their own PKI and need to integrate certificates with HSM, certified timestamps, or specific root chains
  • Government compliance: Governments that require specific standards

You only need a commercial CA when there is:

  • Formal compliance or audit requirement
  • Need for corporate support with warranty
  • Validation beyond DV (like EV or OV)
  • Long-term certificates
  • Special cases (code signing, S/MIME, closed PKI)

If you don't have any of that, Let's Encrypt is sufficient and even more secure due to automatic renewal.

Let's Encrypt does not issue certificates for:

  • IP addresses (public or private, like 192.168.0.10)
  • Internal domains (.local, .internal, .lan)
  • Servers without public DNS