> > And for other services like IMAP, SMTP, LDAP (maybe not LDAP) constant > changing certs even with a long lived root may get old for your customers. Why? I have corporate systems on 2 year commercial CA signed certificates and personal servers on 90 day LetsEncrypt ones - my users of IMAP and SMTP have never ever noticed when I changed the certificates on any device. They certificates all have trusted CAs so the clients trust them without any interaction. Even I don't notice when certbot renews my certificates. > > Unfortunately, there has never been an effective business model for > small customers. The problem is one of trust - in the past even significant CAs have had their signing keys leaked, so it's difficult for the root CAs to trust a company who deals with SMEs with cut price signing (the infrastructure has a significant cost, so they must be cutting corners somewhere!). That was until LetsEncrypt comes along - it has the backing of some big names and *IS* an effective business model for small and private customers. P.