Good to know, and I'm glad there's an alternative to Let's Encrypt, just in case. Is ZeroSSL trusted by old Android devices? If so, that might be a work-around for Let's Encrypt's cross-signing from IdenTrust expiring.

Yes as far as I know; their Sectigo/Comodo root is older.

But, you can still use Let's Encrypt with old Android devices until the later part of 2021 using the alternate chain: https://letsencrypt.org/2020/11/06/own-two-feet.html (As a point of reference, Caddy supports configuring this alternate chain.)

If zerossl is reselling/a subsidiary of sectigo, that’s enough reason to never use this.

Sectigo is the new name for Comodo. The same bunch of pricks who tried to trademark “Let’s Encrypt”.

Other players in the acme cert “business” is great. Renaming a slime ball name and carrying on like nothing happened is not ok.

"If you can't beat 'em, join 'em"

> Is ZeroSSL trusted by old Android devices?

Yes. The intermediate certificate has been included since Android 6.0 [1] and the root expires in 2038 [2].

[1] https://android.googlesource.com/platform/system/ca-certific...

[2] https://crt.sh/?id=1199354

> Android 6.0+ is not that much better

That doesn't matter, the root that signed the intermediate cert was created in 2010 [1] which means it's usable for Android>=2.2.

[1] https://crt.sh/?id=1199354

How on earth are they making money, then?

IMHO there's an opportunity for a lot of disruption in the CA industry. Managing a lot of certificates gets out of control pretty quickly and if they build a system with decent hierarchical authentication you can start to see a situation where large companies might opt to use them for most (or all) certificates. Put another way, imagine being able to log into your dashboard, create a sub-user and assign permissions for that sub-user to issue certificates for subdomain.example.com.

You can limit certificate issuance to a single issuer via CAA in DNS, so you could set your domains to use ZeroSSL exclusively and ZeroSSL could validate ownership of a domain to allow you to create that hierarchy.

I can think of a lot of value added services that can be sold alongside SSL certificates. One example would be CTLog monitoring including for lookalike (FACEB00K) issuances.

The other thing with SSL is that a lot of people equate it with domain security, so I think there's a certain level of domain monitoring that could be sold alongside certificates. Things like domain expiration monitoring, registration of lookalike domains, NS changes, DMARC reporting, etc. all start to feel like a single "domain security" service.