0

Let's Encrypt offers free TLS certificates, including wildcard certificates. Is there ever a reason to pay for a certificate? Is it just "we have to pay for everything so we can sue someone if something breaks" corporate policies?

Someone
  • 115
  • 4
  • I think this is more opinion based. In general: not all hosting providers make it possible or easy to use Let's Encrypt. Apart from that a host might require EV or OV certificates and Let's Encrypt does not offer this. – Steffen Ullrich Jul 30 '22 at 22:09
  • @SteffenUllrich so if my host supports it and DV is enough, there's no reason to use another provider? – Someone Jul 30 '22 at 22:17
  • 2
    In addition to what @SteffenUllrich pointed out, certificates from LetsEncrypt typically have very short lifetimes. For example, the LetsEncrypt certificate used to secure security.stackexchange.com at this moment is valid from Jul 20, 2022 to Oct 18, 2022, i.e. only 90 days. If installing the LetsEncrypt ACME client to do automated certificate renewals on your web server is not possible/practical, then it might be more attractive to pay ~$9.00 USD to another CA for a certificate that lasts a year or longer, than to have to manually renew the LetsEncrypt cert every 90 days. – mti2935 Jul 31 '22 at 00:29

2 Answers2

2

The commercial certificate issuers provide technical support. So in case something goes wrong, you have access to a support contact instead of hoping for someone from the community to answer you. Commercial providers issue certificates for longer periods than the 90 days LetsEncrypt certificates.

Together with this there are perks like warranties, proprietary certificate management tools and fancy "this site is secure" .jpgs / site seals.

PasWei
  • 722
  • 3
  • 14
  • 3
    As far as I know, there are zero known cases of a warranty ever paying out. But customers certainly may mistakenly consider them a useful selling point. – Matt Nordhoff Jul 31 '22 at 01:04
  • The 90 day validity period definitely matters. Renewing certificates every 90 days means either writing automation software, installing 3rd-party software on your server, or manual IT effort. – Brian Aug 05 '22 at 14:49
2

I’ll throw in another reason for using other CA’s than Let’s Encrypt: diversity. You may not want your entire infrastructure to depend on one single CA. Using certificates from different CA’s reduces the impact of CA issues (compromise, OCSP problems, etc). It also allows you to have some ‘backup’ certificates signed by other CA’s ready in case of issues with the main certificate or its issuer. I know at least a number of banks that do this.

Teun Vink
  • 6,788
  • 2
  • 27
  • 35