Please enter CoinGecko Free Api Key to get this plugin works.

Partner links

4 Certificate Authorities to use with Let’s Encrypt SSL certificates

Let's Encrypt

Let’s Encrypt is a nonprofit Certificate Authority (CA) providing TLS certificates to, at the latest count, more than 260 million websites, this website included. You can read the whole history on the service’s Wikipedia page. The service started with Let’s Encrypt as it’s CA. Now the number of CAs has risen to 4. Here in this post, I name all 4 CAs that you can use with Let’s Encrypt SSL certificates.

Keep this in mind: Let’s Encrypt is supported by a nonprofit organization. The other CAs are commercial entities.


1. Let’s Encrypt

With the Let’s Encrypt CA, domain owners can issue SSL certificates for their domain with a lifetime of 90 days. configured to renew automatically, usually a month before expiration. All such certificates are free of of charge. It used to be the lone and, thus, the default CA, but that has changed. If your website’s certificate was recently renewed, you probably didn’t notice that the CA was switched to ZeroSSL, a very unpopular choice, as you’ll read further down. To switch back to Let’s Encrypt CA, use the command given in the following command. --set-default-ca  --server  letsencrypt


2. Buypass

Buypass is a Norwegian company that offers a broad range of consumer and enterprise security and digital identity services. Their TLS/SSL certificates are free for one or more domains, just like Let’s Encrypt’s. Buypass Go SSL, is the company’s SSL certificates issued using their Automated Certificate Management Environment (ACME) API, with a lifetime of 180 days. Note: I haven’t used the Buypass CA, so I’m relying on the info on their website. If your experience with their CA differs from what you just read, feel free to post a comment. To set the Buypass CA as the default, use the following command: --set-default-ca  --server buypass


3. (that’s the name of the company) offers free Let’s Encrypt TSL/SSL certificates with the same lifetime as that of a Let’s Encrypt CA, which is 90 days. The company is based in the US. More info about their TLS/SSL certificates with ACME is available here. Use the following command to set the CA as the default: --set-default-ca  --server sslcom


4. ZeroSSL

Like the Norway-based Buypass, ZeroSSL is based in Europe (UK and Austria) and offers a limited number of free TLS/SSL certificates with a lifetime of 90 days. If you recently renewed or issued a new Let’s Encrypt SSL certificate, ZeroSSL is now your default CA. The decision to switch default CA to ZeroSSL is obviously a business one for Let’s Encrypt, but it is bad for end users for this very simple reason: The number of free, 90-day certificates you can issue is capped at 3. A comparison of all the company’s offerings are available here. When I found out about the switch and read up on the company, I immediately switched back to using the Let’s Encrypt CA and deleted all mentions of ZeroSSL from the server. To switch from the ZeroSSL CA, simply execute the command given for one of the other CAs.


My recommendation

It’s obvious from the foregoing that I’m not in favor of the switch to the ZeroSSL CA as the default, so which of the other three would I recommend? I still use the Let’s Encrypt CA,

but Buypass’s certificates have a longer lifetime – 180 days, compared to 90 days for the other CAs
Given that these certs are auto-updated, is a longer lifetime really VIP to you? x
. When next I have to issue a new certificate or renew an existing one, I wouldn’t mind specifying Buypass as the CA.



Partner links

Newsletter: Subscribe for updates

Notify of
1 Comment
Inline Feedbacks
View all comments
2 years ago

The upside of using zerossl is that for a few you can make unlimited API calls to renew certificates. For companies with a lot of revenue, the safety of not being banned for accidentally making too many API calls is significant.
I’m a big fan of let’s encrypt, but it would be nice to have a more complete list of the pros and cons of each.
For proof of concept it probably doesn’t matter, for small and medium uses let’s encrypt is probably a good choice, for large or critical uptime uses zerossl with a fallback to let’s encrypt seems reasonable, and for really large uses you probably need to evaluate all of the competition to let’s encrypt.

Get the latest

On social media

Security distros

Linux distros for hacking and pentesting

Crypto mining OS

Distros for mining bitcoin and other cryptocurrencies

Crypto hardware

MSI GeForce GTX 1070
Installing Nvidia GTX 1070 GPU drivers on Ubuntu

Disk guide

Beginner's guide to disks & disk partitions in Linux

Bash guide

Bash shell terminal
How to set the PATH variable in Bash
Hya, what do you think? Please comment.x