Wakefly BlogLet's Encrypt: Should You Stop Paying for SSL Certificates?

Anyone involved in websites or web marketing is likely aware by now that SSL is no longer an option. Long ago, “https://” was seen only on finance and e-commerce sites. In recent years, Google has led the charge to put increasing pressure on webmasters to use SSL, first by penalizing non-SSL sites in their search rankings and more recently by updating their nearly ubiquitous Chrome browser to display a scary “Not Secure” warning on non-SSL sites. Talk about a conversion killer. So, unless you’ve had your head under a rock, your site is using SSL and redirects all http:// traffic to https://.

If you’re most companies, you paid hundreds of dollars and went through a convoluted series of checks to prove that you really own your website. Generating the SSL certificate itself only takes a second or two (being generous) of computing time, so the product itself certainly does not justify the cost. Instead, you’re paying for the marketing done by the certificate authority to establish trust and the operational support involved in confirming customers actually own the domains they’re purchasing certificates for. And when you finally get through this process, you’ll find that certificate you purchased expires in a year or two. You’ll need to repeat the whole process not too far down the road, and that time span is just enough time for IT staff to change positions and billing information to expire, making this process newly painful each time.

Thankfully, there is a better way, and it’s called Let’s Encrypt.

In their own words, “Let’s Encrypt is a free, automated, and open Certificate Authority.” Let’s break that down.

Let’s Encrypt is free. This means you can get your SSL certificates without paying a dime. That’s pretty awesome, right? The organization behind Let’s Encrypt is a non-profit funded by a diverse set of contributing companies and smaller donations from those who benefit from its service. The organization behind Let’s Encrypt is the Internet Security Research Group (ISRG), whose mission is to “reduce financial, technological, and educational barriers to secure communication over the Internet.” So, while Let’s Encrypt will gladly accept your donations, there is no fee to use their service.

Let’s Encrypt is automated, and this is by far the best part. Rather than having to manually renew your SSL certificate every 1-3 years, Let’s Encrypt is built for automated renewal. Rather than lasting 1-3 years, Let’s Encrypt certificates only last 90 days. A small script installed on your web server automatically communicates with the Let’s Encrypt service every 60 days or so to renew your certificate. As long as this automated renewal happens successfully within 90 days, there is no manual intervention at all. Getting this script setup initially takes a bit of IT wrangling, but it’s not hard at all and is well worth the small investment of time and effort.

Finally, Let’s Encrypt is an open Certificate Authority. A certificate authority is an organization trusted to confirm that its certificates are issued to entities who own the property being secured. Let’s Encrypt does this using an automated process of placing a file generated by Let’s Encrypt on your website. If you can drop a file at a specific location on a website within a brief period of time, chances are you control that website, for better or worse. As for being “open”, Let’s Encrypt freely publishes all of the technical details of their service, and makes the public keys for all certificates generated available to anyone who wants to inspect them.

If you’ve been wondering whether Let’s Encrypt is too good to be true, unsuitable for business use, or only accessible to hardcore Linux sysadmins, think again. Hopefully, this article has convinced you to stop paying for your SSL certificates.