Is there a reason to use an SSL certificate other than Let’s Encrypt’s free SSL?

Certificate lifespan

Security

Shorter lifespan is better. Simply because revocation is mostly theoretical, in practice it cannot be relied on (big weakness in the public PKI ecosystem).

Management

Without automation: Longer lifespan is more convenient. LE may not be feasible if you, for whatever reason, cannot automate the certificate management
With automation: Lifespan doesn’t matter.

End-user impression

End-users are unlikely to have any idea one way or another.

Level of verification

Security

Letsencrypt provides DV level of verification only.
Buying a cert you get whatever you pay for (starting at DV, with the same level of assertion as with LE).

DV = only domain name control is verified.
OV = owner entity (organization) information is verified in addition.
EV = more thorough version of OV, which has traditionally been awarded with the “green bar” (but the “green bar” appears to be going away soon).

Management

When using LE, the work you put in is setting up the necessary automation (in this context, to prove domain control). How much work that is will depend on your environment.

When buying a cert the DV/OV/EV level will define how much manual work will be required to get the cert. For DV it typically boils down going through a wizard paying and copy/pasting something or clicking something, for OV and EV you can pretty much count on needing to be contacted separately to do additional steps to confirm your identity.

End-user impression

End-users probably recognize the current EV “green bar” (which is going away), other than that they don’t tend to actually look at the certificate contents.
Theoretically, though, it is clearly more helpful with a certificate that states information about the controlling entity. But browsers (or other client applications) need to start actually showing this in a useful way before that has any effect for the typical user.

Installation

Security

It is possible to do things incorrectly in ways that expose private keys or similar.
With LE, the provided tooling is set up around reasonable practices.
With a person who knows what they are doing, manual steps can obviously also be done securely.

Management

LE is very much intended to have all processes automated, their service is entirely API-based and the short lifespan also reflects how everything is centered around automation.

When buying a cert, even with a CA that provides APIs to regular customers (not really the norm at this point) it will be difficult to properly automate anything other than DV and with DV you are paying for essentially the same thing that LE provides.
If you are going for OV or EV levels, you can probably only partially automate the process.

End-user impression

If the installation is done correctly, the end-user will obviously not know how it was done. The chances of messing things up (eg, forgetting to renew or doing the installation incorrectly when renewing) are less with an automated process.

Overall

Traditional means of buying certs are particularly useful if you desire OV/EV certs, are not automating certificate management or want certs used in some other context than HTTPS.

Related Posts:

  1. What is .crt and .key files and how to generate them?
  2. NET::ERR_CERT_REVOKED in Chrome, when the certificate is not actually revoked
  3. How to generate a self-signed SSL certificate using OpenSSL?
  4. Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  5. What exactly is cacert.pem for?
  6. How to disable cURL SSL certificate verification
  7. Java Keytool error after importing certificate , “keytool error: java.io.FileNotFoundException & Access Denied”
  8. Displaying a remote SSL certificate details using CLI tools
  9. how to download the ssl certificate from a website?
  10. Does each subdomain need it’s own SSL certificate?
  11. Generating a self-signed cert with openssl that works in Chrome 58
  12. How to install OpenSSL in windows 10?
  13. curl: (60) SSL certificate problem: unable to get local issuer certificate
  14. Received fatal alert: handshake_failure through SSLHandshakeException
  15. Convert .pem to .crt and .key
  16. Received fatal alert: handshake_failure through SSLHandshakeException
  17. HTTPS connection Python
  18. SSL_ERROR_BAD_CERT_DOMAIN
  19. CFNetwork SSLHandshake failed iOS 9
  20. OpenSSL: unable to verify the first certificate for Experian URL
  21. Caused by: java.security.UnrecoverableKeyException: Cannot recover key
  22. “The underlying connection was closed: An unexpected error occurred on a send.” With SSL Certificate
  23. ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED in Google Chrome
  24. urllib and “SSL: CERTIFICATE_VERIFY_FAILED” Error
  25. Python requests SSL error – certificate verify failed
  26. Getting error in Curl – Peer certificate cannot be authenticated with known CA certificates
  27. How do you sign a Certificate Signing Request with your Certification Authority?
  28. WordPress wp-admin https redirect loop
  29. Howto force SSL for all requests?
  30. Local version of a WordPress site – SSL/HTTPS enforced?
  31. Images causing Mixed Content with SSL
  32. bloginfo() and get_template_directory_uri() with SSL?
  33. Favicon causes mixed content warning over SSL
  34. Adding https to wordpress website
  35. Enabling SSL on wordpress results in 404
  36. SSL setup: wp-login css doesn’t load over httpS
  37. Separating HTTP and HTTPS content with WordPress, Varnish, and an SSL terminator?
  38. Divert http to https with WordPress on IIS
  39. WordPress : To load all asset files coming from HTTP to HTTPS?
  40. XML asset fails to load using https
  41. Search and replace http:// links to https:// to get the green padlock
  42. I changed my site from HTTPS back to HTTP and now it is broken- Cannot access Admin panel on HTTP URL
  43. un-loading https
  44. How to set up HTTPS WordPress from Install Step?
  45. wp_remote_get – curl error 28 connection timed out – using SANS in URL
  46. SSL certificate error on Google Chrome , IE [closed]
  47. How do I set up a local version of my https wordpress site for testing and development using MAMP
  48. Address a single page to SSL https secure protocol?
  49. WordPress + SSL + Varnish + Pound
  50. Jetpack “Connect to WordPress” serving insecure content under HTTPS
  51. Website access with http and https
  52. Redirect the whole blog to SSL but not the RSS feed (under Nginx)
  53. How to control SSL in WordPress for automatically changing http to https?
  54. Site not reachable due to change from HTTP to HTTPS [closed]
  55. All content is HTTPS, but browsers warn of HTTP mixed content [closed]
  56. How do I handle SSL properly when WP is behind a reverse proxy?
  57. Hi do I change Media files that still show as http after installing ssl
  58. Errors on a single host using wp_remote_get() unless sslverify is set to false
  59. How to keep WP from using https to get to wordpress.org?
  60. SSL doesn’t work on certain pages – what is wrong?
  61. WordPress site shown as Not Secure on Chrome when SSL certificate is valid
  62. Self signed certificate issue with WooCommerce rest api connection
  63. ERR_TOO_MANY_REDIRECTS on wordpress page [closed]
  64. Disable WordPress accessing WordPress.org to check for updates
  65. How to protect login via SSL but not the rest of the dashboard
  66. ERR_CONNECTION_REFUSED
  67. The REST API request failed due to an error. cURL error 60: SSL certificate problem: certificate has expired
  68. Do I install WordPress from my Cpanel on https or http, if my website has valid certificate?
  69. SSL not working fine, Home url not matching with site url wordpress errors
  70. Website Migration (with https) to a new domain(http)
  71. How to move my local wordpress to https?
  72. Why does WordPress uses HTTPS for JS, CSS on EC2
  73. ERR_SSL_PROTOCOL_ERROR
  74. WordPress – SSL not working – browser console error “Mixed Content” and “Failed to load resource”
  75. Implications of not completing all tasks when switching to HTTPS
  76. Update not working after installing up SSL
  77. SSL Certificate
  78. Front-end pages messed up due to HTTPS
  79. How to send user data from one website to another
  80. How come all my http URLs are turned to https?
  81. site on subdomain is redirecting to main site after installing wildcard ssl cert on both
  82. Forcing SSL (Bad Theme coding)
  83. WordPress Insecure Content
  84. SSL certificate breaks CSS (in combination with W3TC)
  85. I would like to add ssl certificate to my already existing wordpress site
  86. My WordPress site SSL is in red crossed color and can’t load at first time?
  87. SSL/HTTPS Redirect Loop
  88. Adding SSL certificate to the front end of my site
  89. iHow to redirect all http traffic to https now that a SSL certificate is added?
  90. Moving WordPress from http to https over existing site
  91. Issue when site move from ssl domain to new domain without ssl
  92. How to view all ssl certificates in a bundle?
  93. SSL Certificate Location on UNIX/Linux
  94. Wildcard SSL certificate for second-level subdomain
  95. How do I clear Chrome’s SSL cache?
  96. Properly setting up a “default” nginx server for https
  97. Does each server behind a load balancer need their own SSL certificate?
  98. Best location to keep SSL certificates and private keys on Ubuntu servers?
  99. Changing my URL in General Settings cause the site to crash
  100. wordpress is auto using http: not https: as it needs to because the server is http behind a reverse proxy https, how do I stop it?

Leave a Comment