Why should I use any other SSL certificates anymore?


#1
  1. Now that I can get free letsencrypt.org certificates, what reason do I have anymore to buy something like PositiveSSL certificates from Namecheap?

  2. Is this thing going to put all the paid certificate providers out of business, or is it more to it than that (just wondering if I’m missing something basic)?


#2

You never had a reason to do that anyway, FWIW. StartSSL and WoSign have been free for quite a while.


#3

Criteria also involves your visitors’ OS/browser profile support for Letsencrypt issued certificates. LE SSL certs don’t support WinXP < or > SP3, so if you have a sizable portion of WinXP visitors, then LE SSL certs might not be for you.

Then again other paid SSL certs may not support WinXP < SP3 as all SSL certs are sha256 based now

You can see this thread Which browsers and operating systems support Let's Encrypt as well as example of how I use Google Analytics to break down my OS and browser profiles for visitors to determine if a particular site of mine is suited to particular SSL certificates and/or ssl cipher preferences that include or exclude WinXP https://community.centminmod.com/posts/21440/.


#4

(about 1.)
Additionally note that there are different types of certificates. The ones LE issues are domain-validated (DV) certs (as you indicated some CAs call this “PositiveSSL”). Certs like OV (organisation-validated) or EV (extended validation) are not issued by LE and also will not be issued in the future because you can just not automate this. So this is what other CAs can still do.
Note that only EV certs practically make a difference to the user, because they are the only ones that show the big green bar with the company name in the browser window.

There are no reasons more for buying DV certs. Some other (commercial) CAs also seem to have noticed it, because it is said that at least 2 mayor CAs also offer free DV certs in the near future.
Basically this means: Encryption for everyone! - And this is what LE aims at.

(about 2.)
As I said EV certs can still be sold, so this is still possible for commercial CAs. Additionally as LE does not support wildcard certs this is also a type of certs which can be sold.
So it is not that all CAs do not have any possibility to get revenue anymore, but they may not be able to do it with simply domain validations (which only take a few seconds and require no human-interaction as you can see at LE) anymore.


#5

One reason not use Let’s Encrypt certificates is where certificate authentication is used (for example client-side SSL authentication or VPNs). If only users possessing a valid and current certificate are allowed to connect, accepting Let’s Encrypt in this situation would mean letting anyone in.


#6

Client certificates issued for users are usually self-signed certs anyway. Or the server - which issued them - self-signs them. So this has nothing to do with LE.


#7

I have seen (mis)configured VPN installations that accepted certificates from commercial CAs. That was probably not intended. I agree that one probably might not want to use any CA not under one’s control, including Let’s Encrypt.


#8

Accepted commercial certs as client certs for a user? In this case that’s indeed a problem. But it is entirely the problem of the VPN service.
And this does not matter for Let’s Encrypt in any way. This is a vulnerability in the VPN service and you should probably report it to these VPN services, but for LE it does not matter. Unless these VPN providers really want to do this - which would be a bit stupid as you already said.


#9

I think I understood the original post wrong - I gave the example answer to the question “What would I not use Let’s Encrypt for” (or any other public CA for that matter) instead of “What are the situations when I might use another public CA instead of Let’s Encrypt”. Thanks @rugk!