Only thing I'd add to that linked explanation is that the issuance of the certificate isn't the end of resources Let's Encrypt has to use: Each certificate has to have Online Certificate Status Protocol information generated and signed every few days until the certificate reaches the expiry date, whether it is revoked or valid. Every certificate issued consumes finite signing resources by the hardware security modules for these OCSP responses across its whole 90-day lifespan.
3 Likes