SSL Certificate Product Specifications
Table of Contents
- Product Comparison
- Ordering and Validation
- Renewal and Expiration
- Key Algorithms
- Certificate Names and Hostnames
- Have More Questions?
DNSimple offers four SSL certificate products issued by two certificate authorities: Sectigo and Let’s Encrypt. Use the table below to compare features and determine which product fits your needs.
Product Comparison
| Sectigo Single-Name | Sectigo Wildcard | Let’s Encrypt SAN | Let’s Encrypt Wildcard | |
|---|---|---|---|---|
| Certificate authority | Sectigo | Sectigo | Let’s Encrypt | Let’s Encrypt |
| Price | $20/year | $100/year | Free | Free |
| Maximum validity | 200 days (as of March 2026) | 200 days (as of March 2026) | 90 days | 90 days |
| Hostnames covered | 1 hostname + root (for www) |
All single-level subdomains + root | Up to 100 SAN names | All single-level subdomains |
| Covers root domain | Only for www hostname |
Yes | If included in SAN list | No |
| Validation method | DNS (automatic) | DNS (automatic) | ||
| Auto-renewal | No | No | Yes | Yes |
| Custom CSR support | Yes | Yes | No | No |
| Default key algorithm | ECDSA (prime256v1) | ECDSA (prime256v1) | ECDSA | ECDSA |
| RSA key available | Yes | Yes | Yes | Yes |
| DNSimple subscription required | No | No | Yes | Yes |
| Domain must resolve with DNSimple | No | No | Yes | Yes |
| Plan restrictions | None | None | SAN name count varies by plan | Available on certain plans only |
Note
Sectigo certificate validity is changing due to CA/Browser Forum requirements. The maximum drops to 100 days in March 2027 and 47 days in March 2029.
Ordering and Validation
- Sectigo certificates require email-based domain validation. You select a validation email address during the ordering process and receive a confirmation link from the CA.
- Let’s Encrypt certificates are validated automatically using DNS challenges. Your domain must resolve with DNSimple for the validation to succeed.
For step-by-step ordering instructions, see:
Renewal and Expiration
| Behavior | Sectigo | Let’s Encrypt |
|---|---|---|
| Renewal method | Manual - purchase a new certificate before expiration | Automatic - auto-renewal renews before expiration |
| Renewal reminder emails | Yes - sent at 60, 30, 14, 7, and 3 days before expiration | Yes - if auto-renewal is disabled |
| Installation after renewal | Manual - download and install the new certificate on your server | Manual - download and install the renewed certificate on your server |
For details on how renewals work, see How Does an SSL Certificate Renewal Work?.
Key Algorithms
All DNSimple certificates default to ECDSA keys using the prime256v1 curve. ECDSA keys are smaller and faster than RSA keys at equivalent security levels.
If you need an RSA key for compatibility with older systems, you can select RSA as the signature algorithm during ordering. The certificate configuration page includes a radio toggle to choose between ECDSA and RSA for all certificate products.
Sectigo certificates also support custom CSRs if you need to provide your own key pair. Custom CSRs are not supported for Let’s Encrypt certificates.
Learn more: How to Switch From an ECC-Signed Certificate to RSA
Certificate Names and Hostnames
The number and type of hostnames a certificate covers depends on the product:
-
Single-name - Covers exactly one hostname. If the hostname is
www, Sectigo also covers the root domain. -
Wildcard - Covers all single-level subdomains (
*.example.com). Sectigo wildcards include the root domain; Let’s Encrypt wildcards do not. - SAN (Let’s Encrypt) - Covers up to 100 hostnames specified at order time. The number of customizable names depends on your plan.
For guidance on choosing the right hostnames, see Choosing the SSL Certificate Names.
Have More Questions?
If you have any questions about SSL certificate products, contact support, and we’ll be happy to help.