Let's Encrypt has been shaking things up in the Certification Authority world. Let's Encrypt certificates are free, automated and easy to install. They have been gaining market share like crazy. Some CA's have reacted to their loss of market share in interesting ways.
Let's Encrypt are not perfict, but they are good and they are available now rather than spending another 6 years in development trying to achieve perfection.
They have some notable (and largely intentional) limitations:
- They don't do Extended Validation certificates.
- They don't do wildcard certificates.
- They don't issue certificates for internal servers can't be accessed from the internet1.
- They don't issue client certificates to be used for things like S/MIME.
- Certificates are limited to 90 days.
These limitations mean that Let's encrypt is only useful about 99% of the time2.
One thing Let's Encrypt was meant to do was make other Certification Authorities innovate, and StartCom have done that. In my opinion they were already one of the innovators in the field. They were giving away free domain validated SSL Certificates and for Extended Validation you could validate once and then get an unlimited number EV of certificates. In other words they were only charging you for things that were not automated which in itself was pretty revolutionary. Their validation process was pretty rigorous and while parts of their UI felt a little clunky it all worked pretty well.
Now they have released StartEncrypt which is clearly designed to go head to head with Let's Encrypt, from their announcement email:
Compare with Let’s Encrypt, StartEncrypt support Windows and Linux server for most popular web server software, and have many incomparable advantages as:
(1) Not just get the SSL certificate automatically, but install it automatically;
(2) Not just Encrypted, but also identity validated to display EV Green Bar and OV organization name in the certificate;
(3) Not just 90 days period certificate, but up to 39 months, more than 1180 days;
(4) Not just low assurance DV SSL certificate, but also high assurance OV SSL certificate and green bar EV SSL certificate;
(5) Not just for one domain, but up to 120 domains with wildcard support;
(6) All OV SSL certificate and EV SSL certificate are free, just make sure your StartSSL account is verified as Class 3 or Class 4 identity.
I don't think their points are worded particularly well; The first point implies that Let's Encrypt can't install certificates, but Let's Encrypt can automatically install certificates for Apache. The second and fourth points are basically the same. And the fifth point implies that Let's Encrypt can't handle multiple domain names, but it can have up to 100 domain names per certificate, although as said above it won't do wildcards.
Unfortunately the StartEncrypt client appears to be a closed source binary which is a serious problem for a lot of people. I'll admit that I've not read more than a few hundred lines of the Certbot's source code but it's a huge comfort to know that I can if I want to. Also the documentation is fairly thin on the ground, if you download the install file there is an Operating Manual in the doc directory but it's not especially detailed.
If running a closed source binary is not your thing they also have an API, unfortunately at the time of this writing to access the documentation for the API you need to be signed in. From a quick reading it looks to be a fairly simple REST API that you could use to write your own client.
Even though I'll probably be sticking with Let's Encrypt for most things, I think it's great to see some competition.
Also I know StartCom have copped some flack in the past because they gave out free certificates but changed to $25 revoke them. But I think their pricing is reasonable, they charge for manual processes, revocation was a manual process when heartbleed happened so they charged for it. Similarly they offer unlimited free Extended Validation certificates after you have been validated. Validation costs $199 USD. Some people complain that validation isn't free and so EV certificates should not be advertised as free which is fair, but they are fairly upfront about that. And validation it's a real human process, they look at scanned copies of your passport, they call you up on the phone, they require proof that you represent the organization you say that you do none of that is automated.
Another poignant comic by the folks over at commitStrip
-
I know there are a number of ways you can get a certificate for an internal server, but the design of Let's encrypt is clearly aimed at servers they can directly validate with ACME. ↩
-
I don't have a source for that, in fact I just made it up. It might be a fun project for someone to run through certificate transparency logs like crt.sh and find out what percentage of certificates issued are just standard dv certs. If anyone does that please let me know. ↩
-
On their announcement email they directly compare StartEncrypt with Let’s Encrypt ↩
