Let's Encrypt SSL certificate overview

Let's Encrypt is a new Certificate Authority (CA) that offers FREE SSL certificates that are just as secure as paid certificates. This project was pioneered to make encrypted connections the default standard throughout the Internet.

The 'Let's Encrypt' project is a large step forward for security and privacy on the Internet.

Benefits
Key benefits of using a Let’s Encrypt SSL certificate:

1. 1. It's free – Anyone who owns a domain can obtain a trusted certificate for that domain at zero cost.
   2. It's automatic – The entire enrolment process for certificates occurs painlessly during the server’s native installation or configuration process. The renewal occurs automatically in the background.
   3. It's simple – There's no payment, no validation emails, and certificates renew automatically.
   4. It's secure – Let’s Encrypt serves as a platform for implementing modern security techniques and best practices.

Difference between a free Let's Encrypt certificate and a paid Sectigo certificate

There is no difference in the encryption protection these certificates offer. However, 'Let's Encrypt' certificates only provide domain validation (DV) certificates. 'Let's Encrypt' certificates do not support Organizational Validation (OV) certificates. View the following link for further details: https://letsencrypt.org/docs/faq/

What's the difference?

• • (DV) certificates can only ensure a secure connection to the website. Anyone with admin rights to the website's panel can add a 'Let's Encrypt' certificate. After adding in the panel, the certificate is added automatically.
    
    
    
  • (OV) certificates validate everything a (DV) does, while also validating additional organizational information about who is purchasing the certificate such as their Name, City, State, Country. (OV) certificates may require the user to respond to an email with a verification code which must then be entered into Sectigo's website. However, this depends on how the DCV process verifies the certificate.

If your website is a business that's processing credit cards or transmitting sensitive information (such as an eCommerce site), or has a user login section, you should only use a paid GeoTrust certificate. This helps your users ensure the connection is valid and secure.

Simple websites that need the same level of encryption without the absolute guarantee of ownership can continue to use a 'Let's Encrypt' certificate.

Although DV and OV certificates offer the same level of encryption as OV certs, DV certificates do not display the actual site name within the certificate, meaning visitors are not able to validate the certificate by viewing it. Additionally, these are potentially vulnerable to phishing attacks. For example, a malicious user could create a similar site with a DV certificate to create a forged copy of your online store. For these reasons, DV certificates are not recommended for eCommerce sites that process payment information. 

 
Rate limits

'Let's Encrypt' has set up rate limitations to help protect their servers. Limits are as follows:

1. 1. Names/Certificate – Limit on how many domain names you can include in a single certificate. This is currently limited to 100 names, or websites, per certificate issued. Certificates per domain you could run into through repeated re-issuance. This limit measures certificates issued for a given combination of Public Suffix + Domain (a "registered domain").
   2. Registrations/IP address – Limits the number of registrations you can make in a given time period; currently 10 per IP address every 3 hours. This limit should only affect the largest users of Let's Encrypt.
   3. Pending Authorizations/Account – Limits how many times an ACME client can request a domain name be authorized without actually fulfilling the request itself. This is most commonly encountered when developing ACME clients, and this limit is set to 300.

FAQs 

How long is the certificate valid?
SSL certificates generated by Let's Encrypt automatically renew every 60 days. This is for two reasons as stated on their blog post:

1. 1. They limit damage from key compromise and mis-issuance since stolen keys and mis-issued certificates are valid for a shorter period of time.
   2. They encourage automation, which is absolutely essential for ease of use. This takes the burden off system administrators to manually handle renewals. Once issuance and renewal are automated, shorter lifetimes won’t be any less convenient than longer ones.
2.  
   If your site's Let's Encrypt certificate expires without successfully renewing, please contact support.

 
What level of encryption is available?
RSA-signed using 4096-bit RSA keys.

 
Are wildcard certificates available for use?
No. Although 'Let's Encrypt' offers wildcard certificates, it is currently not possible to use them at DreamHost. If you need SSL certificates on your subdomains, you must enable them individually.

 
What browsers support Let's Encrypt certs?
Certificates are trusted in all major browsers. View the blog post here:

https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html

 
What should I do if my Let's Encrypt order is pending for more than a few hours?
Let's Encrypt orders should complete automatically within 10-30 minutes, although occasionally this can process can sometimes take longer. If your order has been pending for longer than 2-4 hours, you should contact support.