Hello,
I understand that Let's Encrypt is cost-free, but I'm wondering if it is still free when used for commercial purpose by our company, in combination with our own product to provide paid service to other companies? Are there any disclaimers or agreements to follow? Or limitations for such use?
Sincerely
As far as I know (but I'm not a laywer nor LE employee) there are very few limitations, i.e., you are allowed to ask money for a free LE certificate. But please see all the relevant legal documents at Policy and Legal Repository - Let's Encrypt
4 Likes
Thanks for your reply, I have read the legal documents and found no such limits, but I think further confirmation maybe needed in case there is any omission or potential legal risk. Actually we need the certificate of Let's Encrypt as combined service when providing paid service to our clients, so maybe like you said, there are very few limitations.
1 Like
From Subscriber Agreement:
3.6 Installation and Use of Your Certificate
[...]
You may reproduce and distribute Your Certificate on a nonexclusive and royalty-free basis.
You are allowed to give out certificates to your customers.
[...] You agree, that You will install Your Certificate only on servers that are accessible
at the subjectAltName(s) listed in Your Certificate.
You are allowed to use certificates on servers that process traffic for domains listed in the certificate.
[...] Your Certificate will remain the property of ISRG.
You are granted usage, but not ownership of the certificate. Therefore, you can't sell it. However, you can distribute it free of charge as part of another product (see above).
You agree that You will not use Your Certificate for:
(a) any purpose requiring fail-safe performance, such as the operation of public utilities or power
facilities, air traffic control or navigation systems, weapons systems, or any other systems, the
failure of which would reasonably be expected to lead to bodily injury, death, or property or
environmental damage; or
You are not allowed to use certificate with service that can't tolerate outage in areas of public or human safety.
(b) software or hardware architectures that provide facilities for interference with encrypted
communications, including but not limited to:
(1) active eavesdropping (e.g., monster-in-the-middle attacks); or
(2) traffic management of domain names or internet protocol addresses that You do not own
or control
You are not allowed to use certificate to spy on encrypted traffic.
All in all, I think you can use Let's Encrypt commercially just fine (many companies do), as long as you don't sell a Let's Encrypt certificate as a product in itself.
7 Likes
A good basic answer is yes, you are allowed and even encouraged to use Let's Encrypt certificates in a commercial service and to make money using them.
If you're a hosting provider, the community will probably get annoyed at you if you charge your customers extra for HTTPS as opposed to HTTP, but that's not forbidden by Let's Encrypt's terms of service.
If Let's Encrypt works well for you, you can choose to donate to or sponsor it to ensure its continued availability and reliability for everyone. This isn't any kind of requirement, and you don't obtain a different tier of service by donating.
8 Likes
Well, according to your description, it will be fine for our company use, thanks very much for your reply.
2 Likes
That's very helpful, thanks a lot. Currently we're still in the planning stage to see if this is feasible, and may consider donating or sponsoring in the future for its continuous service.
3 Likes
Charging extra for a free certificate is indeed frowned upon mostly. The idea of Let's Encrypt of course is to encrypt the entire web, so from a Let's Encrypt point of view, a certificate should not be "opt-in", but come standard with the product. Asking for money separately defeats that purpose IMO.
The extra costs of maintaining the certificate infrastructure should be encompassed into the overall costs of the product.
3 Likes
Actually we do not ask money for the certificate provided by Let's Encrypt since it is provided for free, our product includes the service of Let's Encrypt and we only charge the other service provided by our company, if necessary we could add reminder to our product that the certificate is provided by Let's Encrypt for free. Would that be appropriate?
It doesn't sound necessary.
If you don't have a separate line item in the bill - specifically for an LE cert, you should be fine.
4 Likes
@shanice1 There is a now-historic list of "web hosting who support Let's Encrypt" at
If you look at the historic list, you can see dozens of companies that provide Let's Encrypt certificates as part of their paid hosting plans. This is normal and Let's Encrypt and the community are happy about it.
If what you're doing is in some what similar to those dozens of companies are doing, Let's Encrypt and the community will probably be happy about it too!
3 Likes
We will not charge LE certificate from our customers, thanks a lot.
2 Likes
Yeah we use it just like the other companies do, so maybe that is not a big problem, thanks very much for your help.
2 Likes
You agree that You will not use Your Certificate for:
(a) any purpose requiring fail-safe performance, such as the operation of public utilities or power
facilities, air traffic control or navigation systems, weapons systems, or any other systems, the
failure of which would reasonably be expected to lead to bodily injury, death, or property or
environmental damage; or
Surprised it does not include nuclear power stations, or installations dealing with nuclear power. Though public utilities or power facilities is a blanket term.
I remember Java (JDK) used to specifically include
Licensed Software is not designed or intended for use in the design, construction, operation or maintenance of any nuclear facility
It would be difficult to list every possible situation. Medical monitoring systems also come to mind. I think "such as" indicates those are examples not an exhaustive list.
And this is the blanket statement
3 Likes
The JDK included provisions about high risk environments because their software would perhaps run the controls system for said environment. Certificates are not software however, they're more like a merit badge issued by a respected scout leader. Certificates do not provide encryption, they are used as part of one of the steps in providing trusted encryption.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.