Every browser connection to your website over HTTPS requires an SSL certificate. You can get one for free from Let’s Encrypt, or pay anywhere from $10 to several hundred dollars per year for one from a commercial Certificate Authority. The marketing around paid certificates implies significant differences in security, trust, and protection.
Most of those implications are misleading.
This post covers what SSL certificates actually are, what makes them different from each other, when free certificates are genuinely sufficient, and when a paid certificate is worth considering.
What an SSL certificate actually is
An SSL certificate is a digital document that contains two things:
- Your public key – the cryptographic key used to establish an encrypted connection
- A signature from a Certificate Authority – proof that a trusted third party has verified something about the certificate owner
The certificate itself does not encrypt anything. Encryption happens through TLS, the protocol that uses the certificate. The certificate’s job is identity – it tells your browser “this server is genuinely associated with this domain name, and here is a trusted authority vouching for that.”
When your browser connects to a website over HTTPS, it:
- Receives the server’s certificate
- Checks the Certificate Authority’s signature against its built-in list of trusted CAs
- Verifies the domain name in the certificate matches the address in the browser bar
- Verifies the certificate has not expired
- Checks the certificate has not been revoked
If all five checks pass, the browser establishes an encrypted connection. If any check fails, the browser shows a warning.
The encryption strength – the algorithm, the key size, the cipher suite – is determined by the TLS configuration on the server, not by the certificate type. A free Let’s Encrypt certificate and a $300/year commercial certificate use identical encryption when the server is configured the same way. The CA signature is different. The encryption is not.
Self-signed certificates: why browsers reject them
Before understanding CA-signed certificates, it helps to understand what happens without one.
You can generate a certificate and sign it yourself using OpenSSL:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodesThis creates a perfectly functional certificate. It contains a public key. It can establish an encrypted connection. The encryption is just as strong as any CA-signed certificate.
But your browser will show a full-page warning:
Your connection is not private
NET::ERR_CERT_AUTHORITY_INVALIDThe reason is trust. The browser has no way to verify who signed the certificate. You signed it yourself – anyone can do that. The browser cannot distinguish between a legitimate server operator who self-signed their certificate and an attacker who generated a self-signed certificate to impersonate your domain.
The CA system solves this by creating a chain of trust. Certificate Authorities are organizations that browsers and operating systems have decided to trust. That trust is established over years through audits, compliance requirements, and legal accountability. When a CA signs your certificate, they are vouching for it with their own trusted reputation.
A self-signed certificate provides encryption but no identity verification. For internal tools, development environments, and private networks where you control both the server and the clients, self-signed certificates are perfectly reasonable – you can add the certificate to your trusted store manually. For public websites where you have no control over your visitors’ browsers, self-signed certificates are not usable.
Certificate validation levels: what the CA actually checks
All CA-signed certificates provide encrypted connections. They differ in how much the CA verified about the certificate requester before issuing it.
Domain Validated (DV)
The CA verifies only that you control the domain. They do this through one of three methods:
- HTTP-01 challenge: Place a specific file at
http://yourdomain.com/.well-known/acme-challenge/token. The CA fetches it and confirms you control the web server. - DNS-01 challenge: Add a specific TXT record to your domain’s DNS. The CA queries it and confirms you control the DNS.
- TLS-ALPN-01 challenge: A TLS-based validation for servers that cannot serve HTTP responses on port 80.
The CA does not check who you are, whether you are a legitimate business, or whether the domain is being used for phishing. Domain control is the only verification. Issuance is fully automated and takes seconds to minutes.
Let’s Encrypt issues DV certificates. So does every commercial CA – DV is the baseline tier, typically the cheapest option in their catalog.
What DV proves: This certificate was issued to whoever controls this domain at this moment.
What DV does not prove: Anything about the organization behind the domain, its legitimacy, or its intentions.
Organization Validated (OV)
The CA verifies both domain control and the legal identity of the organization requesting the certificate. Verification involves checking business registration databases, government records, and sometimes phone calls to verify the organization exists and the requester is authorized to act on its behalf.
OV certificates include the organization’s name and country in the certificate’s Subject field. Historically this information was displayed in browsers. Modern browsers – Chrome, Firefox, Safari – no longer show OV details in the address bar. To see them, you need to click the padlock and inspect the certificate manually.
OV issuance takes one to three business days. Costs typically range from $50-200/year.
What OV proves: This certificate was issued to a verified legal organization that controls this domain.
What OV does not prove: That the organization is trustworthy, reputable, or that the site is safe to use.
Extended Validation (EV)
EV certificates require the most thorough verification. The CA confirms:
- The organization’s legal existence in its jurisdiction
- The organization’s physical address
- The organization’s operational existence (it is actively doing business)
- The requester’s authorization to apply on behalf of the organization
- Additional checks defined by the CA/Browser Forum’s EV guidelines
EV issuance can take several days to a week. Costs typically range from $100-300/year.
Until around 2019, major browsers displayed a green address bar with the organization’s name for EV certificates – the “green padlock” that was widely marketed as a trust signal. All major browsers have since removed this visual indicator. Chrome removed it in 2019. Firefox followed. Safari removed it in 2020.
The reasoning: studies showed that most users did not notice or understand the green bar, and EV certificates have been obtained by fraudulent organizations. The green bar was not providing the security signal it was marketed as.
Today, EV certificates look identical to DV and OV certificates in the browser address bar. A padlock is a padlock. You can see the EV details only by inspecting the certificate manually.
What EV proves: This certificate was issued to a thoroughly verified legal organization that controls this domain.
What EV does not prove: That the organization is trustworthy or that the site is safe. Phishing sites have been documented with EV certificates.
Comparing certificates: what you actually see
Here is what you see in a browser for each certificate type, and what you see when you inspect them:
In the browser address bar
All three look identical in every major modern browser. A padlock icon. The domain name. No green bar. No organization name. No visual indication of whether it is DV, OV, or EV.
In the certificate details
Click the padlock > Connection is secure > Certificate is valid (or equivalent in your browser).
DV certificate (Let’s Encrypt example):
Subject: CN = yourdomain.com
Issuer: CN = R11, O = Let's Encrypt, C = USNo organization details in the Subject field.
OV certificate example:
Subject: CN = yourdomain.com
O = Your Company Ltd
L = New York
S = New York
C = USOrganization details present but not shown in the address bar.
EV certificate example:
Subject: CN = yourdomain.com
O = Your Company Ltd
businessCategory = Private Organization
serialNumber = 1234567
L = New York
S = New York
C = USMore detailed organization information including business registration number and category.
Using SiteProbe SSL checker
You can inspect any domain’s certificate details using SiteProbe’s SSL checker. It shows the certificate type, issuer, validity dates, chain completeness, and supported TLS versions – everything relevant to evaluating a site’s SSL configuration from the outside.
The encryption is identical
This cannot be overstated. The cryptographic protection provided by a DV, OV, or EV certificate depends entirely on the TLS configuration of the server, not the certificate type.
A server configured to support TLS 1.2 and 1.3 with strong cipher suites encrypts connections the same way whether the certificate cost $0 or $300/year. The certificate contains the public key used in the key exchange. The CA validation level does not affect the key, the cipher, or the encryption strength.
If you see a paid certificate marketed as providing “256-bit encryption” or “2048-bit keys,” understand that free Let’s Encrypt certificates also use 2048-bit or 4096-bit RSA keys or 256-bit ECDSA keys. The key size is a choice you make when generating the certificate, not something determined by how much you paid.
When free (Let's Encrypt) is the right choice
For the vast majority of websites, Let’s Encrypt is the right choice. That includes:
- Personal websites and blogs
- Small business websites
- WooCommerce and e-commerce stores
- WordPress sites of any size
- SaaS products and web applications
- APIs and backend services
The arguments for Let’s Encrypt:
Cost. Free. No annual renewal fee. No payment information to manage.
Automation. Let’s Encrypt certificates are issued and renewed automatically. On a hosting platform that supports ACME automation (which all modern hosting platforms should), you never think about certificates. They just work. On Hostney, certificates are provisioned automatically when you create a site and renew automatically before expiry.
Ubiquitous trust. Let’s Encrypt’s root certificate is trusted by every major browser, operating system, and device. There is no device compatibility problem with Let’s Encrypt certificates.
90-day validity. Short validity periods mean that if a private key is compromised, the certificate expires quickly. It also forces automation – you cannot rely on manual renewal every 90 days. This is a security feature, not a limitation.
Identical encryption. As described above, the encryption strength is the same.
The only meaningful limitation of Let’s Encrypt is that it does not issue OV or EV certificates. If your use case specifically requires organizational identity in the certificate, you need a commercial CA.
When a paid certificate might be worth considering
Compliance requirements
Some industries, contracts, or regulatory frameworks specify certificate requirements. PCI DSS historically had specific guidance on certificate types. Some enterprise procurement processes or partner agreements require OV or EV certificates. Government agencies sometimes mandate specific certificate types.
If your compliance documentation, contract, or regulator specifies a certificate type, follow that specification regardless of the practical security difference.
Organizational identity requirements
Some organizations use OV certificates because they want the organization name visible in certificate inspection tools, even though browsers do not display it. This matters in contexts where technical users or security auditors regularly inspect certificates – financial institutions, healthcare organizations, or enterprise software where certificate inspection is part of security review processes.
Extended Validation for high-value transactions
The EV green bar is gone from browsers. But some organizations maintain EV certificates because their security policies were written when the green bar existed and have not been updated, or because they serve customers who specifically look for EV details when inspecting certificates before high-value transactions.
The practical security benefit is minimal given that browsers no longer surface EV information. But if your customers or compliance requirements reference EV certificates, the cost ($100-300/year) is low enough that it may not be worth the policy argument to change.
Wildcard certificates with DNS validation constraints
Let’s Encrypt does issue wildcard certificates (*.yourdomain.com), but only through DNS-01 validation – you must be able to create TXT records in your domain’s DNS automatically. If your DNS provider does not support automated TXT record creation (which most modern providers do), or if your DNS management is handled by a third party who cannot integrate with ACME clients, a commercial wildcard certificate obtained manually may be easier to manage.
Multi-year certificates
Let’s Encrypt certificates are valid for 90 days and must be renewed frequently. Commercial certificates are available with validity periods up to 13 months (the current maximum allowed by browsers). In environments where certificate automation is difficult or impossible – some legacy systems, isolated networks, or environments with strict change control processes – a longer-lived commercial certificate may be operationally simpler.
Certificate chains and why they matter more than validation level
One practical difference between free and paid certificates is that commercial CAs often have deeper browser integration and wider root distribution. Let’s Encrypt is universally trusted in modern browsers and systems, but older Android versions (pre-7.1.1) had issues with Let’s Encrypt’s root certificate until Let’s Encrypt established a cross-signature with IdenTrust.
That cross-signature expired in September 2021, which caused some devices running Android 7.1.1 and older to show certificate errors for Let’s Encrypt certificates. Let’s Encrypt issued a fix through an alternate chain, but it was a reminder that certificate trust is more complex than it appears.
For most sites today, this is a non-issue. But if your analytics show significant traffic from very old Android devices, it is worth checking whether your certificate chain is compatible.
More important than CA choice is making sure your certificate chain is complete. Every certificate needs its full chain of intermediate certificates to be served alongside it. An incomplete chain causes connection failures on mobile browsers and API clients even when desktop browsers work fine.
Check your chain completeness using SiteProbe’s SSL checker. It shows whether your chain is complete and identifies any missing intermediates.
Price comparison across certificate types
| Type | Let’s Encrypt | Commercial DV | Commercial OV | Commercial EV |
|---|---|---|---|---|
| Cost | Free | $10-50/year | $50-200/year | $100-300/year |
| Validation | Domain control | Domain control | Domain + organization | Domain + thorough org verification |
| Issuance time | Seconds | Minutes to hours | 1-3 days | 3-7 days |
| Validity period | 90 days (auto-renewed) | 1 year | 1 year | 1 year |
| Wildcard support | Yes (DNS validation) | Yes | Yes | No |
| Browser display | Padlock | Padlock | Padlock | Padlock |
| Organization in cert | No | No | Yes | Yes (detailed) |
| Encryption strength | Same | Same | Same | Same |
| Automation support | Yes (ACME) | Varies | No | No |
The practical decision
For most websites: use Let’s Encrypt. It is free, automatically managed, universally trusted, and provides identical encryption to any paid certificate. There is no security argument for paying for a DV certificate when Let’s Encrypt provides the same thing for free.
If your use case requires organizational identity in the certificate: use OV. It is moderately priced and covers the identity verification requirements of most compliance and enterprise contexts.
If your compliance documents, contracts, or regulator specifically require EV: use EV. The green bar is gone but the certificate type is still available and may be required for specific reasons. Evaluate whether those requirements predate the removal of browser EV indicators – if they do, they may be worth updating.
If you are running a development environment, internal tools, or a private network where you control the client machines: a self-signed certificate or a private CA is appropriate. Add the certificate to your trusted store and you have encryption without the CA infrastructure overhead.
On Hostney, Let’s Encrypt certificates are provisioned and renewed automatically for every site. If you need a custom certificate for organizational or compliance reasons, you can upload it through the control panel’s SSL certificates section – see How to install an SSL certificate for the full process.
Summary
Free Let’s Encrypt certificates and paid commercial certificates provide identical encryption. The difference is what the Certificate Authority verified before issuing the certificate: domain control only (DV), domain plus organizational identity (OV), or domain plus thorough organizational verification (EV). Modern browsers display all three identically – a padlock icon with no visual distinction. The green EV address bar was removed by all major browsers by 2020. Self-signed certificates provide encryption but no identity verification and are rejected by browsers for public websites. For the vast majority of sites, Let’s Encrypt is the correct choice: free, automated, universally trusted, and cryptographically equivalent to any paid alternative.