Why would anyone pay for an SSL cert?


#1

This is kind of feedback but also a question.

Can someone explain me who is still paying for SSL certificates? How are those businesses still making money?

Is there any benefit of speding $849 on something that is available for free?


#2

There are still a few reasons one might want to pay for an SSL cert:

  • You have legacy system(s) that don’t support auto-renew or have any sort of API to update the cert. (I’m thinking of the web UIs on network hardware, etc.) A two-year cert might be the simplest option for these types of devices, provided you have good documentation for when and how to update them

  • You want EV for whatever reason - maybe customers or upper management insist on it. I personally don’t think EV is worth anything, but clearly there’s some demand for it.

  • You have to support client devices outside of your control that don’t ship the ISRG or DST roots. The recent thread about Amazon not supporting it for their app store comes to mind. It seems nuts, but if you need to support their store, I guess you’re stuck paying for now.

That said, $849/year for a DV wildcard is instane, even before LE existed we were paying much less than that for our wildcard. If you do need a longer-lived DV wildcard that chains to a “more established” root, you can get a RapidSSL cert for less than 10% of that from a reseller.


#3

Thanks, thats a really good summary.

I just also had in mind that it costs LE about $0.02 per issued certificate ($2.91M expenses for 2017 / 100M issued certs), so the first thing I think about is “where does that money go” when I see a wildcard at RapidSSL also costs about $250.
Of course, EV is something different as there is work involved.


#4

Personally saying

I would imagine a CA like Comodo / Globalsign would have a much larger staff base than Let’s Encrypt… (also note that let’s encrypt’s support is communy based… so for other CAs, there are support staff salary as well)


#5

Hi @jansch

summer 2016, I’ve bought my last wildcard certificate. Valide 3 years, it’s still active.

Generating the CSR, upload it, get a mail, click the link, get the certificate, install it. Then forget it 2 years, 11 months, then check it again.

Letsencrypt is new, certificates are available since end of 2015, this is a short time. Wildcard certificates are available since 2018-03…

And you must have the tools to manage the automation. But a wildcard certificate needs dns-validation, so your dns-provider must have an API. And the automation must get username and password.

There are surely a lot of organisations where such things are complicated. Buying a certificate and using it 2 years without any other trouble may be the easier version.


#6

Thanks Jürgen, that actually makes sense to me… :slight_smile: Haven’t thought of such cases!


#7

…unless you use acme-dns…