A Big Comparison of free SSL certificates: Let’s Encrypt vs. Basic DV by Symantec

Jun 8, 2016 | Jindřich Zechmeister

This article is going to compare the certificates Let’s Encrypt and Basic DV by Symantec, both of which are offered exclusively to ZONER software customers. Basic DV is initiated by DigiCert, the world biggest certification authority. The certificate can be issued by 4 chosen webhosts, one of which is ZONER software

Each ZONER customer gets a SSL certificate for every domain and they can have as many as they want (incl. sub domains). If their hosting is with ZONER, they can install the certificate automatically with just one click. The customer can also download the certificate with a private key and start using it on their server or device. In the same way as the domain, the certificate is valid for a year and renews automatically (on hosting as well).

Advantages of Basic DV:

  • a traditional way of obtaining a certificate without a software client on server
  • customer obtains certificate the same way as from a paid CA
  • issued by the biggest CA in the world, with a 20-year tradition
  • an active service is not required, installation can be done by customer, who is authorised to do so
  • customer service gives advice and helps
  • no limits to certificate issue
  • CA respects the records of the CAA
  • certificates are published in CT logs
  • verification is done via a signed ZONER DNS zone

Disadvantages of Basic DV

  • certificate is only for one DNS name
  • for other webhoster´s customers: the fact that it is only provided by ZONER

Let’s Encrypt is a certification authority founded in 2015, which issues certificates for free. Mozilla, an EFF foundation, is involved in the CA and it is sponsored by various IT companies. A CA is non-commercial so it does not have any reliable income.

Let´s Encrypt is distinguished by its unique approach to certificate issue. For certificate issue, their software client is needed, which uses its own web server and which installs the certificate on the server (adjusts its configuration) after verification. This is so the web administrator does not have to take care of anything (which is not completely compatible with their function). The validity of these certificates is 90 days, which I do not mention as a disadvantage because the client renews it automatically.

Besides the way of getting the certificate, the CA itself may raise a few questions. It is good that it is an independent entity, but it does not have the authority over certificate credibility and, as I have already mentioned, it has no income. Problems with the sustainability of either of these can arise.

Advantages of Let’s Encrypt

  • full renew automatization on customer´s device
  • CA supports CAA
  • it publishes certificates into CT logs
  • relatively good verification before issue (but overly complicated)

Disadvantages of Let’s Encrypt

  • a community certificate without support, which is a big disadvantage especially during subsequent installation
  • credibility supplied by a small CA IdenTrust in the background, which in fact is not a typical CA, but a bank consortium issuing certificates
  • there is a limit to the number of issued certificates
  • a client is necessary, it is not possible to issue a certificate without a running server
  • if there is no support for LE clients, it is not possible to issue a certificate or to use an alternative one
  • the client installs the certificate on server, it is dangerous to change server configuration automatically

We have asked the hosting services product manager directly why ZONER chose DigiCert´s solution over the authority Let´s Encrypt. “We have considered Let´s Encrypt. We want to offer HTTPS security to our customers because we know that their presentations are valuable. However, we have decided to do it properly, so we do not offer the Let´s Encrypt certificates for free, but we offer - for domains registered with us - the option of using an SSL certificate by a time-tested authority, which DigiCert certainly is. This certificate is included in the registration/renew payment for the domain,“ explained Lukáš Ondra from ZONER.

As you can see, the Basic DV certificate has its use even though other free CAs exist. For ZONER, this is a trustworthy solution from the biggest CA in the world.

Ing. Jindřich Zechmeister
TLS certificate specialist
Certificated Sales Expert Plus
e-mail: jindrich.zechmeister(at)zoner.com