Let's Encrypt Made TLS Free. The Certificate Model Is Still the Same.
by Nick Clark | Published March 28, 2026
Let's Encrypt transformed web security by providing free, automated TLS certificates through the ACME protocol, removing cost and complexity as barriers to HTTPS adoption. The impact is enormous: hundreds of millions of certificates issued, HTTPS adoption rising from minority to majority. But Let's Encrypt issues the same structural artifact as any other CA: a certificate binding a domain name to a public key, signed by a chain of trust, with a fixed lifetime. Making certificates free did not change what certificates are. The structural gap is between ubiquitous certificate issuance and an identity model that does not require certificates.
Let's Encrypt's contribution to web security through free, automated certificate issuance is one of the most impactful infrastructure projects in recent history. The gap described here is about the certificate model, not about Let's Encrypt's mission.
Automation solved issuance, not the model
ACME automated the certificate lifecycle: domain validation, certificate issuance, installation, and renewal all happen without manual intervention. This eliminated the operational burden that kept many sites on HTTP. But automation made the certificate model easier to use. It did not change the model.
Automated certificates still depend on stored private keys on the server. They still have fixed lifetimes requiring renewal. They still depend on the CA's signing key and the browser's trust store. The operations are automated. The structural dependencies are identical.
Free certificates normalize the credential model
By making certificates free and automated, Let's Encrypt removed the economic incentive to question the certificate model. When certificates were expensive and manual, there was motivation to explore alternatives. With free automation, the certificate model became the assumed infrastructure. The structural properties of certificates, stored keys, hierarchical trust, fixed lifetimes, became invisible because the operational friction disappeared.
What keyless identity addresses
Keyless identity would provide web server identity without certificates, CAs, or stored key material. A server would prove its identity through accumulated behavioral continuity. Browsers would validate identity through trust slope verification rather than certificate chain validation. No CA infrastructure, no certificate lifecycle, no stored private keys.
Let's Encrypt demonstrated that the web benefits from ubiquitous identity verification. Keyless identity would extend that principle by making identity intrinsic to the server rather than dependent on certificates issued by an external authority.
