The SSL certificate market is a textbook example of legacy pricing surviving long past the point where it made sense. Certificate authorities were charging $200 to $500 per year for domain-validated certificates well into the 2010s, and some still do. Then Let's Encrypt launched, made DV certificates free and automated, and the only honest answer became: unless you have a specific compliance or validation requirement, stop paying for certificates.
That said, the certificate market is not entirely commodity. There are three distinct certificate types, they provide genuinely different things, and one of them cannot come from Let's Encrypt. Understanding the difference takes about five minutes and will save you from either overpaying or making a compliance mistake.
Use the SSL Certificate Checker to inspect what your current certificate actually says, including its type, issuer, and expiry date, before making any decisions.
The Three Certificate Types: What Each Actually Provides
Certificate type is the single most important factor in the paid vs. free decision, and most articles bury it or explain it poorly.
DV: Domain Validation
A DV certificate proves exactly one thing: you controlled the domain at the time of issuance. The CA verifies this either by checking a DNS record you added (DNS-01 challenge) or by confirming you can serve a specific file at a known URL (HTTP-01 challenge). No business identity is verified. No documents are checked. Issuance takes minutes or seconds.
Every Let's Encrypt certificate is DV. Every free certificate from ZeroSSL is DV. The $5.99/year Namecheap PositiveSSL cert is DV. They all show the same padlock in the browser. They all encrypt traffic identically. There is no practical security difference between a free DV cert and a paid DV cert for the user on the other end.
OV: Organization Validation
An OV certificate goes one step further: the CA verifies that the organization listed in the certificate is a real, legally registered business. You submit company documents, the CA cross-checks them against business registries, and the process typically takes one to three days. The result is a cert that includes your organization name in its details, not just the domain.
Let's Encrypt does not issue OV certificates. If you need OV, you are paying. Namecheap OV certificates start around $79.99/year. ZeroSSL's Business plan at $149/year includes OV. DigiCert charges around $348/year for OV, which is an enterprise price for enterprise procurement workflows.
EV: Extended Validation
EV certificates involve the most rigorous validation: legal existence, physical address, phone verification, the works. They were designed to trigger a visible green address bar with your company name in browsers. That green bar was removed from Chrome in 2019 and from Firefox and Safari around the same time. In 2026, EV certificates show your organization name only in the certificate details panel, not in the browser's address bar.
Let's Encrypt does not issue EV certificates. Namecheap EV starts around $89.99/year. DigiCert EV runs approximately $544/year. Some PCI-DSS compliance frameworks still specifically require EV, which is the main reason to buy one today. The UX argument for EV is largely gone.
If a vendor or consultant tells you EV certificates improve user trust because customers see your company name in the address bar, that was true before 2019. Chrome, Firefox, and Safari all removed that UI years ago. EV now shows org name only in the certificate details, which most users never open.
Buy EV only if a compliance framework explicitly requires it, not for perceived UX benefit.
Let's Encrypt: The Details That Actually Matter
Let's Encrypt issues free DV certificates with a 90-day validity period. The 90-day limit is intentional: it forces automation and reduces the window of exposure if a private key is compromised. With certbot or any ACME client running as a cron job or systemd timer, renewal is fully hands-off.
Wildcard certificates (*.example.com) are supported via the DNS-01 challenge, where you prove domain control by adding a TXT record rather than serving a file over HTTP. This is more complex to automate since it requires your DNS provider to have an API, but most major providers (Cloudflare, Route 53, Namecheap) support it. Check DNS propagation after adding the challenge record before triggering issuance. If you run into DNS propagation delays during the ACME challenge, this DNS propagation explainer covers why they happen and how long to expect.
Rate limits worth knowing: 50 certificates per registered domain per week, 5 duplicate certificates per week, and 5 failed validation attempts per account per hostname per hour. For most use cases these are irrelevant. For large-scale automated issuance across many subdomains, they require planning.
The 90-day renewal cycle requires automation. If you are running an environment where you cannot install certbot or run an ACME client (legacy appliances, some shared hosting, air-gapped systems), Let's Encrypt becomes operationally painful. A one-year paid certificate is easier to manage manually in those cases.
Let's Encrypt also provides no customer support and no warranty. For most developers this is irrelevant. For organizations with vendor SLA requirements, it may matter.
AWS ACM: Free for AWS Workloads, Expensive for Everything Else
AWS Certificate Manager public certificates are free when used with AWS services: CloudFront distributions, Application Load Balancers, API Gateway, and Elastic Beanstalk. ACM handles renewal automatically. This is the right answer for any AWS-hosted workload that does not need OV or EV.
The catch: ACM public certificates cannot be exported. They are bound to AWS services and cannot be installed on an EC2 instance running nginx or Apache, or anywhere outside AWS. If you need a certificate you can download and deploy anywhere, ACM public certs are not the answer.
AWS Private CA is a completely different product aimed at internal PKI infrastructure. It costs $400/month for the CA itself plus $0.75 per certificate issued. This is not relevant to public website TLS and is priced for enterprise internal certificate management at scale.
Paid Certificate Pricing in 2026
Here is what the market actually looks like across providers. These are May 2026 prices, verify before purchasing as CA pricing shifts frequently.
| Provider / Product | Type | Price | Validity |
|---|---|---|---|
| Let's Encrypt | DV | Free | 90 days (auto-renews) |
| AWS ACM (public) | DV | Free (AWS only) | 13 months (auto-renews) |
| ZeroSSL Free | DV | Free (3 certs) | 90 days |
| ZeroSSL Basic | DV (unlimited) | ~$10/yr | 1 year |
| Namecheap PositiveSSL | DV (single) | ~$5.99–$9.99/yr | 1 year |
| Namecheap PositiveSSL Wildcard | DV (wildcard) | ~$49.99/yr | 1 year |
| ZeroSSL Business | OV | $149/yr | 1 year |
| Namecheap OV | OV | ~$79.99/yr | 1 year |
| Namecheap EV | EV | ~$89.99/yr | 1 year |
| DigiCert DV | DV | ~$218/yr | 1 year |
| DigiCert OV | OV | ~$348/yr | 1 year |
| DigiCert EV | EV | ~$544/yr | 1 year |
| AWS Private CA | Internal PKI | $400/mo + $0.75/cert | Configurable |
DigiCert DV at $218/year is effectively the same product as a Let's Encrypt certificate. The DigiCert price exists because enterprise procurement teams sometimes require a named vendor with a support contract. If that is not your situation, there is no reason to be at that price point for DV.
When to Pay: A Short Honest List
There are four legitimate reasons to buy a certificate in 2026:
OV or EV is required by a compliance framework. PCI-DSS, certain banking and insurance regulations, and some government procurement standards still specify OV or EV. If your compliance documentation calls for it, you need it. Check what is actually required before assuming EV is needed.
Your organization's name in cert details is a client requirement. Some enterprise clients or procurement policies specifically ask for OV so they can see a verified organization name when inspecting the certificate. This is a business requirement, not a security one, but it is real.
You need a wildcard and DNS automation is not possible. Let's Encrypt wildcard certs require DNS-01, which requires DNS API access. If your DNS is managed by a provider with no API, or you are working in an environment where DNS is off-limits, a purchased wildcard certificate avoids the complexity. Namecheap wildcard DV at $49.99/year is reasonable for this case.
You need a one-year cert for a legacy environment that cannot automate renewal. Appliances, embedded systems, some shared hosting platforms, air-gapped networks. A paid one-year cert is operationally simpler than trying to force a 90-day automated renewal into a system that was not designed for it.
If none of those four conditions apply, use Let's Encrypt. It is trusted by every major browser. It has been running at scale since 2016 with high reliability. The 90-day renewal cycle is an operational non-issue if you set up certbot correctly. And it costs nothing.
Run the SSL Checker on your current domain to see exactly what certificate you have, who issued it, when it expires, and what type it is. If you are paying for a DV cert from a commercial CA, you are spending money for no benefit.
Verify Your Current Certificate
Before switching anything, check what you are actually running. The issuer, certificate type, expiry date, and whether auto-renewal is configured are all visible in the certificate details. Most people do not know offhand whether their certificate came from Let's Encrypt, ACM, or a CA they set up three years ago and forgot about.
The InfraTally SSL Checker pulls the live certificate from your domain and shows the full chain, issuer, validity period, and SANs (Subject Alternative Names, which determine which subdomains the cert covers). If you are auditing an existing setup or migrating from a paid cert to Let's Encrypt, start there.
For DNS-related issues during ACME challenge verification, the DNS Checker lets you query your TXT records across multiple resolvers simultaneously, which is useful when debugging DNS-01 challenge failures.