Let's Encrypt SSL Certificate Authority

Let's Encrypt is a free, automated, and open Certificate Authority operated by the Internet Security Research Group (ISRG). Launched in 2016, it has issued billions of certificates and is responsible for the majority of HTTPS certificates in use on the web today.

Key Characteristics

• Free: No cost for any number of certificates
• Automated: Uses the ACME protocol (RFC 8555) so certificates can be issued and renewed without human intervention
• 90-day validity: Short-lived intentionally to encourage automation and limit the damage from key compromise
• DV only: Let's Encrypt does not issue OV or EV certificates

How Let's Encrypt Validates Domains

Let's Encrypt uses the ACME protocol. Your ACME client (Certbot, acme.sh, Caddy, Traefik, etc.) automatically proves domain control using HTTP-01, DNS-01, or TLS-ALPN-01 challenges. The CA verifies the challenge and issues the certificate, all without human review.

Identifying a Let's Encrypt Certificate

Paste a Let's Encrypt certificate into the decoder and you'll see the Issuer fields contain CN: R10 or CN: E5 (the current active intermediates) with O: Let's Encrypt. The Authority Info Access extension will point to http://r10.o.lencr.org (OCSP) and the chain will include the ISRG Root X1 or ISRG Root X2 root certificate.

Rate Limits

Let's Encrypt enforces rate limits: 50 certificates per registered domain per week, 5 duplicate certificates per week, and 300 new orders per account per 3 hours. For high-volume use cases, contact Let's Encrypt about rate limit increases.

When Let's Encrypt Is Not Appropriate

Let's Encrypt only issues DV certificates. If you need OV or EV certificates for organizational identity assurance or regulatory compliance, you'll need a commercial CA such as DigiCert, Sectigo, or GlobalSign.