Is Let's Encrypt safe? The "free means less secure" misconception
It's one of the most persistent myths in TLS. It borrows an intuition from physical goods — more expensive is better — that simply doesn't apply to certificates. A browser either trusts a CA's root certificate or it doesn't. There is no middle ground, no "more trustworthy" tier. Let's Encrypt's roots (ISRG Root X1/X2) are in every major root store: Chrome, Firefox, Safari, Edge, iOS, Android, Windows and macOS. A DV certificate from Let's Encrypt delivers exactly the same encryption and the same padlock as a certificate costing hundreds of euros.
If anything, history points the other way. The CAs that have been distrusted by browsers were almost all large, expensive "premium" providers: Symantec (distrusted by Google and Mozilla in 2018 after widespread misissuance) and Entrust (distrusted by Chrome in 2024 after repeated compliance failures). Let's Encrypt, by contrast, has a clean record. Price is not a measure of trust.
The three validation levels
The real difference between certificates isn't "cheap vs. expensive" — it's what the CA verifies before issuing:
| Level | What's verified | Visible to visitors | Wildcard |
|---|---|---|---|
| DV (Domain Validation) | Control of the domain | No (same padlock) | Yes |
| OV (Organization Validation) | Domain + that the organization exists | Only in certificate details | Yes |
| EV (Extended Validation) | Thorough legal vetting of the company | No (green address-bar badge removed in 2019) | Typically no |
Note the most important change: EV no longer shows the company name in the address bar. Every major browser removed the "green company name" around 2019 because studies showed users never noticed it. The trust signal you used to pay for has effectively disappeared.
The major CAs — pros and cons
- Let's Encrypt — free, DV, 90-day lifetime, full ACME automation. Pro: ubiquitous, free, automation-first, clean record. Con: DV only, no support SLA, short lifetime requires ACME automation.
- ZeroSSL — free + paid, DV/OV/EV, ACME support. Pro: ACME and OV/EV options, support tiers. Con: limits on the free tier.
- Google Trust Services — free, DV, ACME (via Google Cloud). Pro: backed by Google, full automation. Con: DV only, easiest to use inside the GCP ecosystem.
- Buypass (Norway/EU) — free + paid, ACME, EU-based. Pro: European CA, ACME, a good fit where EU sovereignty matters. Con: less widely adopted than the global players.
- DigiCert — premium, OV/EV, warranty, enterprise support. Pro: strong in enterprise procurement, human support, OV/EV. Con: expensive; technically no extra browser trust over DV.
- Sectigo (formerly Comodo) — broad DV/OV/EV range, cheaper than DigiCert. Pro: flexible product range, competitive pricing. Con: mixed brand history from the Comodo era.
- GlobalSign / Entrust — established enterprise CAs with OV/EV plus IoT and document signing. Pro: broad portfolio, EU presence. Con: expensive — and Entrust is a concrete example that "established and expensive" doesn't guarantee trust (distrusted by Chrome in 2024).
When a paid CA actually makes sense
There are genuine reasons — they're just never about "more security":
- Procurement or enterprise requirements that explicitly demand OV (company name in the certificate).
- Compliance in regulated industries (finance, healthcare, certain public-sector environments).
- Warranty and support SLA if you need someone to call when things break.
- eIDAS / QWAC for specific EU regulatory requirements such as PSD2 — a genuine but narrow use case.
Bonus: lock down who can issue for your domains
Whichever CA you choose, you should restrict which CAs are allowed to issue certificates for your domains at all. You do this with a CAA record in your DNS — a simple safeguard against any CA (or an attacker) issuing a certificate in your name.
Conclusion
For the vast majority — wildcard certificates included — Let's Encrypt is the right choice: just as secure, just as trusted, free, and built for automation. The only real reason to choose a different CA is a specific requirement from a customer, a tender or a regulation — not a general feeling that something more expensive is more trustworthy. And because the whole industry is moving toward shorter certificate lifetimes, automation matters more than the choice of CA.
And whichever CA you use, what matters is the same: knowing where your certificates are, when they expire, and whether unexpected certificates appear for your domains. That's exactly what CertControl monitors — across every CA you use.
Frequently asked questions
Is Let's Encrypt safe enough for production?
Yes. Let's Encrypt is as secure and as widely trusted as any paid CA — its roots are in every major browser and operating system. The difference between a free and a paid CA is the validation level (DV vs. OV/EV) and support, not encryption or trust.
Is a paid certificate more secure than a free one?
No. The encryption and browser trust are identical. A paid OV/EV certificate adds verification of your organization in the certificate details — not stronger security. EV no longer shows the company name in the browser.
When should we choose a paid CA?
When a specific requirement demands it: a tender or enterprise customer that requires OV, compliance in a regulated industry, a need for warranty or a support SLA, or eIDAS/QWAC. Otherwise Let's Encrypt is the right choice.
Can I get a wildcard certificate from Let's Encrypt?
Yes — for free, via a DNS-01 challenge. Remember that a wildcard groups every subdomain under a single private key, so weigh the blast radius before using it broadly.