See if you can follow the logic, as reported by Lupa.cz.
The reasons for preferring the paid option over the free certificate are essentially two. Let’s Encrypt issues DV certificates with validity limited to only three months. Before the original expires, it’s necessary to deploy a new certificate, which means having a functional ACME client with automation elements set up so that, if possible, the system takes care of this obligation in time by itself. In contrast, commercial certificates are usually issued for at least one year. The IT department thus only needs to remember that once a year, the certificate needs to be replaced.
“In some environments, the implementation of automation through available ACME clients for Let’s Encrypt may not yet be fine-tuned for sufficient reliability, or may not be available at all,” adds the head of the Czech certification authority Alpiro, Antonín Kozan. And he adds a second reason why domain verification is often insufficient for clients.
“Many of our customers realize that in connection with SSL certificates, not only the encryption of communication itself is important, but also the added value in the form of higher credibility with an SSL certificate issued against rigorous verification of the organization. This is crucial for a wide range of organizations from financial or state institutions, established companies, online stores, and other entities that place high emphasis on the higher credibility of SSL certificates with OV or EV,” he concludes.
Sorry, that doesn’t check out for me. Haha, get it? Czech out? It’s the little bits of humor in these troubled times… anyway, ahem, seriously this doesn’t check out. If there’s one place in the world I expect people to use simple, reliable systems for tracking things, it’s Prague. Let me explain why.
First, for a 90 day rotation question the easy technology answer is a proxy or reverse proxy with automated renewal handling. Think of it like a piece of paper you put on your table that keeps track of things so you don’t have to. There are many tools that do this, so I’m hopefully not surprising anyone:
- Traefik
- Caddy
- Nginx Proxy Manager
- Certbot with cron jobs
All of these deal with Let’s Encrypt renewals even in legacy systems that can’t handle ACME. The proxy safely terminates traffic and safely front-ends systems that remain unaware of certificate management.
Second, with regard to a “need for higher trust” in OV/EV certificates, I’m not sure where they’re getting that from:
- Nobody notices or understands any difference in DV, OV, and EV certificates anymore. Is this like a local fan group or special circumstance? Like we only drink beer made from our local creek kind of thing?
- Modern browsers removed visual indicators for EV certificates so it’s not like anyone is expected to understand the difference anymore.
- The “big” traffic encryption sites like Google and Amazon run DV certificates, and as horrible as they are ethically, they do care about the actual strength of security.
This might all just be a case of doing things the “local” way. Like when I sit in a Prague cellar drinking twelve beers and … remember when I mentioned a piece of paper? The Czechs are known for their “čárky” marks, where the easy thing is the right thing to do apparently.
| Measure | Čárky | Let’s Encrypt |
|---|---|---|
| Purpose | Track beer consumption | Deliver website certificates |
| Philosophy | Simple, transparent, accessible | Simple, transparent, accessible |
| Status | Traditional | Standard |
| Alternative | Paid vendor (disruptive) | Paid vendor (unusual) |
| Cost | None | None |
| Complexity | Minimal (pencil, paper) | Minimal (automated scripts) |
| Renewal | Every beer (server) | Every 90 days (automated) |
| Resistance From | POS vendors | Certificate vendors |
| Effectiveness | High value low cost | High value low cost |
So maybe there’s some kind of financial angle to certification authorities pushing paid products into lined pockets, rather than technical or security concerns? Who really loses what? Who stands opposed to using the standard high value low cost solution?
Properly automated DV certificates from Let’s Encrypt provide the same level of encryption security without the manual renewal overhead and cost. There’s more to this story, that’s all I’m saying. Czech it out.