What's the difference between LetsEncrypt and Traditional CA?

Let’s Encrypt is automated (unlike most CAs), so you can get and install the certificate without significant human intervention, probably in under a minute. Let’s Encrypt is also not-for-profit and doesn’t charge fees for issuing a certificate (unlike most CAs), so you can get the certificates without paying for them.

Our certificates will be Domain Validated (DV) certificates, which some other CAs issue. With DV certificates, we don’t validate the legal or offline identity of the certificate applicant.

We aim to have good security practices on par with and in line with industry standards, and we hope over time to have extra security precautions in terms of validation that many other CAs don’t have today. We will use the CAA protocol to allow domains to request that we not issue certs for them. We also plan to be much more transparent than many existing CAs in terms of publicly disclosing what certificates we’ve issued through systems like Certificate Transparency.

We also have a precaution that other DV CAs generally don’t, where we won’t issue a certificate for a domain name that has an existing cert from another CA unless the applicant can prove that they control the key that’s the subject of the existing cert. So for example, if there were an existing domain like example.com that had an existing and valid cert in use from Example CA, we would not be willing to issue a new cert for example.com unless the applicant could prove that they had the key that was the subject of the cert issued by Example CA.

4 Likes