Let’s Encrypt is a free, automated, nonprofit Certificate Authority (CA) that issues SSL/TLS certificates at no cost. It’s the largest CA in the world with 63.9% market share and has issued over 1 billion certificates since launching in 2016.
Let’s Encrypt is run by the Internet Security Research Group (ISRG), supported by Mozilla, Google, EFF, Facebook, and others.
How Let’s Encrypt works
Let’s Encrypt uses the ACME protocol (Automated Certificate Management Environment, RFC 8555) to automate certificate issuance:
- Prove domain ownership — Complete a challenge (HTTP-01 or DNS-01) to prove you control the domain
- Submit a CSR — Your ACME client sends a Certificate Signing Request with your public key
- Receive the certificate — Let’s Encrypt signs and returns the certificate chain
- Install and renew — Deploy the certificate; renew every 90 days
The entire process is automated — no emails, no paperwork, no payment. ACME clients like GetHTTPS, Certbot, and acme.sh handle the protocol for you.
Why it’s free
Let’s Encrypt’s mission is to make HTTPS universal. Revenue model:
- Sponsored by major tech companies (Google, Mozilla, Meta, Cisco, EFF, etc.)
- Operating costs are modest — nearly everything is automated
- No support staff for individual users — community forum only
- Only issues DV certificates — no complex identity verification to perform
This isn’t “free as in freemium.” There are no paid tiers, no upsells, no limits designed to push you to a paid plan. It’s free because encryption should be a baseline, not a luxury.
Rate limits
Let’s Encrypt has rate limits to prevent abuse, but they’re generous enough for any legitimate use:
| Limit | Value | Notes |
|---|---|---|
| Certificates per registered domain | 50 per week | Covers example.com and all subdomains |
| Duplicate certificates | 5 per week | Same exact set of domain names |
| Failed validations | 5 per hour | Per account, per hostname |
| New registrations | 10 per IP per 3 hours | ACME account creation |
| Pending authorizations | 300 per account | Concurrent incomplete challenges |
For testing, use Let’s Encrypt’s staging environment — it has much higher limits and issues test certificates (not browser-trusted).
What Let’s Encrypt doesn’t offer
- OV/EV certificates — only Domain Validation (DV)
- Dedicated support — community forum only
- Warranty — no financial guarantee against mis-issuance
- Certificate management dashboard — that’s what ACME clients are for
- Certificates longer than 90 days — by design (short validity limits exposure if a key is compromised)
For most websites, none of these are needed. DV certificates provide the same encryption as OV/EV. See our Let’s Encrypt vs Paid SSL comparison.
How to use Let’s Encrypt
You don’t interact with Let’s Encrypt directly — you use an ACME client:
| Client | How it works | Best for |
|---|---|---|
| GetHTTPS | Browser-based, no install, key stays local | Quick certs without server access |
| Certbot | CLI tool, auto-renewal, server integration | Production servers with root access |
| acme.sh | Shell script, no root needed | Lightweight CLI alternative |
| Caddy | Built-in ACME, automatic HTTPS | Caddy web server users |
Full comparison of free SSL tools →
Frequently asked questions
Is Let’s Encrypt safe?
Yes. Let’s Encrypt certificates use the same cryptographic standards as paid certificates. They’re trusted by all major browsers and operating systems. Over 300 million active certificates protect a significant portion of the web.
Why 90-day certificates?
Short validity limits the damage if a private key is compromised — an attacker can only use a stolen key until the certificate expires. It also encourages automation, which is more reliable than manual renewal. Note: the CA/Browser Forum is moving all CAs toward 47-day validity by 2029.
Can I use Let’s Encrypt for commercial websites?
Yes. There’s no restriction on commercial use. Let’s Encrypt certificates are used by major companies, SaaS products, and e-commerce sites. The license places no limitations on usage.
What happens if Let’s Encrypt goes down?
Existing certificates continue working until they expire — they don’t phone home. You just can’t issue or renew during an outage. Let’s Encrypt has a strong uptime track record and is backed by well-funded sponsors. If you’re concerned, keep certificates renewed well before expiry (day 60 of 90).
Does Let’s Encrypt support wildcard certificates?
Yes. Wildcard certificates (*.example.com) are supported via the DNS-01 challenge. You need to add a TXT record to your domain’s DNS to prove ownership.
Let’s Encrypt by the numbers
| Metric | Value |
|---|---|
| Active certificates | 300+ million |
| Global CA market share | 63.9% |
| Total certificates issued | 1+ billion |
| Certificate type | DV only |
| Validity | 90 days |
| Cost | Free |
| Sponsors | Google, Mozilla, Meta, Cisco, EFF, Akamai, and others |
| Founded | 2013 (ISRG), public launch 2016 |
| Protocol | ACME (RFC 8555) |
| Root CA | ISRG Root X1 |
Why some people distrust Let’s Encrypt (and why they’re wrong)
“Free = less secure” — Encryption strength is defined by the TLS spec, not the CA. All CAs use the same algorithms. Free vs paid comparison →
“No warranty = risky” — CA warranties cover CA mis-issuance errors, not your site getting hacked. No significant warranty payout has ever been publicly documented.
“90-day certs = unreliable” — Short validity is a security feature, not a limitation. Automated renewal (Certbot) makes this invisible.
“Phishing sites use Let’s Encrypt” — True, but phishing sites also use paid certificates. DV certificates verify domain control, not site legitimacy. This is by design — encryption protects data in transit regardless of the site’s intent.