[Simucal]

What kind of impact is Let's Encrypt going to have on the CA industry? I'm not that familiar with the current state of the CA companies, nor do I understand this industry well enough to know if this is going to be a major hit to them or not.

Is there any reason why a company would prefer a CA other than Let's Encrypt?

[aeden]

The impact depends largely on their ability to get their root certificate into all of the browsers. It'll be interesting to see what happens with older versions of browsers as well, since if they start with a brand new root certificate then I'm not sure what happens with the older browsers.

If they can get their certificate into all of the browsers then it's possible they could achieve broad adoption for domain-verified certificates. There will still be a market for other validation types (organization validated and extended validation, for example) though.

[Supermighty]

> since if they start with a brand new root certificate then I'm not sure what happens with the older browsers.

IdenTrust will cross-sign Let's Encrypt root cert. I imagine they will keep it cross-signed, for backwards compatibility, once LE has their root cert in all the browsers.

[iancarroll]

You can't exactly undo cross signing without creating a new root CA - at some point they'll probably stop sending their root CA with the handshake (which is required when cross signing).

[st3fan]

Insurance, guarantees, EV certs, doing business with a big trusted company. All reasons to stay with your regular CA.

(Personally I don't care about any of those reasons - I just want my website to be SSL powered with an official cert and modern cipher configuration.)

[mike-cardwell]

It will cost existing CAs a lot of business. We already had free certs from StartSSL, but they were for non-commercial purposes only.

I imagine a lot of shared hosting companies who currently resell SSL certs to their own customers will be switching to this next year.

I will certainly use them, and will only recommend them and nobody else. The only reason I'd ever look at one of the old CAs now, is for EV certs. But 99% of the time, people don't need an EV cert.

[ultramancool]

It's very, very hard for traditional CAs to compete with free, trusted in all major platforms and with dead simple set up. Hopefully this sort of scheme, combined with the added trust of Certificate Transparency, can kill off most traditional CAs.

The only reason I would still buy 1 certificate is for wildcard support.

[josho]

Wait. Where can I get free certs today? Or did you mean once this service goes live?

I've used StartSSL, but somehow messed up the process and can't issue a new cert unless I pay to revoke the current. Even then their free certs expire in a year.

The only other free cert I found was from Comodo, but it expires after 90 days.

So, I wouldn't exactly say the only reason to pay for a cert is for wildcard support.

[ultramancool]

Yes, I was saying once this service goes live. But currently I've had 0 issues with StartSSL including renewals and getting multiple certs for a single domain. You do not need to revoke to get more certs from it in my experience at least. Paying for certs is just generally pointless right now even.

[bobzilla42]

You can use a different dummy subdomain as the first entry to issue another cert, adding the subdomains you really want as secondaries. See https://kuix.de/blog/index.php?entry=entry140827-231120