Let’s Encrypt is a nonprofit Certificate Authority (CA) providing TLS certificates to, at the latest count, more than 260 million websites, this website included. You can read the whole history on the service’s Wikipedia page. The service started with Let’s Encrypt as it’s CA. Now the number of CAs has risen to 4. Here in this post, I name all 4 CAs that you can use with Let’s Encrypt SSL certificates.
Keep this in mind: Let’s Encrypt is supported by a nonprofit organization. The other CAs are commercial entities.
1. Let’s Encrypt
With the Let’s Encrypt CA, domain owners can issue SSL certificates for their domain with a lifetime of 90 days. configured to renew automatically, usually a month before expiration. All such certificates are free of of charge. It used to be the lone and, thus, the default CA, but that has changed. If your website’s certificate was recently renewed, you probably didn’t notice that the CA was switched to ZeroSSL, a very unpopular choice, as you’ll read further down. To switch back to Let’s Encrypt CA, use the command given in the following command.
acme.sh --set-default-ca --server letsencrypt
2. Buypass
Buypass is a Norwegian company that offers a broad range of consumer and enterprise security and digital identity services. Their TLS/SSL certificates are free for one or more domains, just like Let’s Encrypt’s. Buypass Go SSL, is the company’s SSL certificates issued using their Automated Certificate Management Environment (ACME) API, with a lifetime of 180 days. Note: I haven’t used the Buypass CA, so I’m relying on the info on their website. If your experience with their CA differs from what you just read, feel free to post a comment. To set the Buypass CA as the default, use the following command:
acme.sh --set-default-ca --server buypass
3. SSL.com
SSL.com (that’s the name of the company) offers free Let’s Encrypt TSL/SSL certificates with the same lifetime as that of a Let’s Encrypt CA, which is 90 days. The company is based in the US. More info about their TLS/SSL certificates with ACME is available here. Use the following command to set the SSL.com CA as the default:
acme.sh --set-default-ca --server sslcom
4. ZeroSSL
Like the Norway-based Buypass, ZeroSSL is based in Europe (UK and Austria) and offers a limited number of free TLS/SSL certificates with a lifetime of 90 days. If you recently renewed or issued a new Let’s Encrypt SSL certificate, ZeroSSL is now your default CA. The decision to switch default CA to ZeroSSL is obviously a business one for Let’s Encrypt, but it is bad for end users for this very simple reason: The number of free, 90-day certificates you can issue is capped at 3. A comparison of all the company’s offerings are available here. When I found out about the switch and read up on the company, I immediately switched back to using the Let’s Encrypt CA and deleted all mentions of ZeroSSL from the server. To switch from the ZeroSSL CA, simply execute the command given for one of the other CAs.
My recommendation
It’s obvious from the foregoing that I’m not in favor of the switch to the ZeroSSL CA as the default, so which of the other three would I recommend? I still use the Let’s Encrypt CA,
The upside of using zerossl is that for a few you can make unlimited API calls to renew certificates. For companies with a lot of revenue, the safety of not being banned for accidentally making too many API calls is significant.
I’m a big fan of let’s encrypt, but it would be nice to have a more complete list of the pros and cons of each.
For proof of concept it probably doesn’t matter, for small and medium uses let’s encrypt is probably a good choice, for large or critical uptime uses zerossl with a fallback to let’s encrypt seems reasonable, and for really large uses you probably need to evaluate all of the competition to let’s encrypt.