Home/ Glossary/ Let's Encrypt

Let's Encrypt (Let's Encrypt)

Security Glossary - SSL/TLS

Definition: Let's Encrypt is a free, automated, and open Certificate Authority run by the Internet Security Research Group (ISRG). It issues Domain Validation (DV) certificates using the ACME protocol, which allows automated certificate issuance and renewal without manual intervention.

Why Let's Encrypt Matters

Let's Encrypt removed the cost barrier to HTTPS adoption. Before its launch in 2015, SSL certificates typically cost between $10 and several hundred dollars per year. Now any website owner can obtain a trusted certificate for free, which has been a major driver of HTTPS adoption across the web.

The key advantage of Let's Encrypt beyond cost is automation. Certificates are issued for 90-day periods and can be renewed automatically using ACME clients like Certbot. This short validity period is actually a security benefit - if a private key is compromised, the exposure window is limited. Manual certificate management is one of the most common sources of outages, so automation reduces operational risk.

The main limitation of Let's Encrypt is that it only offers Domain Validation certificates. If your organization needs Extended Validation (showing the company name in browser UI) or Organization Validation, you will need a paid CA. However, for the vast majority of websites, DV certificates provide the same encryption strength and are sufficient.

Checking Your Setup

Run an SSL checker to see if your certificate was issued by Let's Encrypt (the issuer will show "Let's Encrypt" or "R3" / "R10" / "R11" as the intermediate). Check the expiration date - if it is more than 90 days out, the certificate is not from Let's Encrypt. Verify that automatic renewal is configured by checking your ACME client's cron job or systemd timer.

See how your site handles Let's Encrypt

Check SSL Certificate

Common Misconceptions

Myth: Let's Encrypt certificates are less secure than paid ones
Reality: Encryption strength is identical. Let's Encrypt uses the same RSA/ECDSA algorithms and key sizes as any paid CA. The only difference is validation level: Let's Encrypt does Domain Validation only.
Myth: 90-day certificate validity is a disadvantage
Reality: Short validity encourages automation, which is more reliable than manual renewal. Automated renewal via Certbot or ACME eliminates the human error that causes most certificate-related outages.

Frequently Asked Questions

Are Let's Encrypt certificates as secure as paid ones?
Yes. Let's Encrypt certificates use the same encryption strength as paid certificates. The difference is in identity validation - Let's Encrypt only does domain validation, while paid CAs offer organization and extended validation that verifies the legal entity behind the domain.
Why do Let's Encrypt certificates expire after 90 days?
The short validity period encourages automation and limits the damage window if a key is compromised. With proper ACME client setup (like Certbot), renewal happens automatically, so the short period does not create operational burden.

Related Terms

SSL/TLS Certificate Certificate Authority Domain Validation Certificate SSL Certificate Expiry Hypertext Transfer Protocol Secure
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.