Remember paying $300 for an SSL certificate?
Of course you do. It was 2015. You had a budget line item called "certificates." Purchasing needed three approvals. The renewal reminder went to Dave, who left six months ago.
Then Let's Encrypt showed up and chose violence.
The Numbers Don't Lie
2016: Let's Encrypt had 0.1% market share.
2024: 59%.
That's not growth. That's annihilation.
They didn't just disrupt the certificate industry. They ate it. While the traditional CAs were figuring out how to charge more for wildcard domains, Let's Encrypt was issuing millions of free certificates. Daily. With 90-day lifetimes that forced everyone to automate whether they liked it or not.
Which, surprise, is exactly what we needed for 47 day certificates.
The Business Model That Shouldn't Have Worked
Here's what Let's Encrypt proposed:
- Free certificates
- No phone support
- No sales team
- 90-day expiration (not the 3-year cash cows)
- API-only provisioning
- Funded by... donations?
The CAs laughed. Actually laughed.
"Nobody will trust free certificates."
"Enterprises need hand-holding."
"90 days is too short."
"Automation is too complex for normal ops teams."
Turns out normal ops teams were already automating everything else. Adding one more API call? Not exactly rocket science.
The Part Nobody Talks About
Let's Encrypt didn't win because they were free.
They won because they removed the friction.
No sales calls. No "contact us for pricing." No validation documents. No account managers. No renewal reminders. No phone trees. No support tickets.
Just: Here's your cert. See you in 90 days.
We'd been so beaten down by the certificate industrial complex that we forgot what simple looked like.
certbot certonly --webroot -w /var/www/html -d example.com
Done. Cert issued. Automatically renewed until the heat death of the universe.
The Panic Was Delicious
Watch a $600 million industry realize it's been disrupted by a nonprofit:
- 2016: "It's just for hobbyists."
- 2017: "Enterprises will never adopt it."
- 2018: "Our Extended Validation certificates are superior."
- 2019: "We provide better support."
- 2020: "Our management platform is worth the cost."
- 2021: "Please?"
The best part? They started offering free certificates too. But with "premium features." Like what? Support for the free certificates that don't need support because they're automated?
DigiCert bought Symantec's certificate business for $950 million in 2017.
That same year, Let's Encrypt was running on a $2.5 million budget.
And winning.
They Fixed the Wrong Problem
The CAs spent years optimizing the wrong thing. Making certificate purchasing "easier." Building better dashboards. Adding more validation levels.
Let's Encrypt realized the problem wasn't purchasing.
It was that certificates existed at all.
Make them invisible. Make them automatic. Make them someone else's problem (specifically: nobody's problem).
Eight years later, Let's Encrypt issues certificates for most of the encrypted web. Your bank, your cloud provider, probably this blog.
All running on infrastructure that the "serious" CAs said would never work.
Turns out "never" is about 8 years in certificate time.
Top comments (0)