The number of certificates issued/inserted on 25th December, which is almost the same as any other day in December, while being a bank holiday in most Western countries, makes me happy: the industry successfully made certificate renewal fully automatic.
For LetsEncrypt, all renewal requests are done with ACME clients, so this is not a surprise.
I'm curious to know which part of DigiCert and Certigo certificates are actually renewed with an ACME request (both support it).
Certigo is ZeroSSL for all intensive purposes (as far as I am concerned) so probably close to all of them were acme clients.
Digicert has been pushing acme for a while now, but it's a bit annoying as you (my company) needed to prepay/have a line of credit for it, or some annoyance that didn't make it as seemless as LE/ZeroSSL.
I think for digicert any of the certs with 89/90 day expiry would be acme renewals with a near 100% certainty.
I don't have a definite reason you (or anybody in particular) should choose Digicert but I can give you a couple of ideas of where technically they might be a good choice and ISRG (Let's Encrypt) are not.
Firstly there may be policy issues and you can pay Digicert to care whereas you can't pay Let's Encrypt to care about your problems. Meta for example pays (paid?) their issuer to obey their private extra requirements on top of the rules for the Web PKI when it comes to names in the famous facebook.com 2LD.
Secondly trust issues. Obviously for a mainstream browser or similar, ISRG are trusted, but maybe you've got a fleet of Multi-function Printers from 2015 across 54 offices and alas none of them trust Let's Encrypt for the TLS servers. Yes, this was a dumb purchase but you don't have a time machine and the people who maintain this fleet keeps telling you the next version will definitely fix it, so meanwhile you're buying Digicert certificates.
This is admittedly a rare use case, but is needed e.g. for setting up a DNS-over-HTTPS server.
ZeroSSL seems to support IPv4 SANs, but fails to validate IPv6 addresses; I tried emailing their support several times about this but they never replied. I finally got a working certificate via GeoCerts (https://www.geocerts.com/), a DigiCert reseller, but doing so required manual validation. For the record, GeoCerts support was fantastic.
It is kind of a bummer that I can't have a website flying under the radar (given a requirement to have a cert signed by a well-known CA).
There is a subset of personal websites that I have rather not have poked and prodded by everyone, yet still be able to casually access them from random places.
Other than wildcard certs mentioned by sibling comments, note that this is security by obscurity in pure form. This is insecure!
You cannot have a website on the public internet and hope to hide it only by virtue of having no well-known CA cert. Your deployment, should it be truly public, has to be secure even in the face of its location (FQDN) being known. Else, it’d just be a matter of time until breaching happens.
You might be interested in the ACME DNS challenge as well.
Note that Bulk DNS Records are a very affordable service. I don't know if Shodan throws those in, it may not, but if your attacker isn't a bored teenager who took a momentary interest they absolutely do have those records. If you can afford Netflix you can afford to subscribe to that data from a reputable supplier.
The way they're obtained is, if you operate a huge public DNS service, you collect the set of answers you saw, with timestamps but no PII, and you just sell that. If you take this data from a handful of the biggest DNS services you've got maybe 95% coverage of everything out there.
Sure 99% of users of hr.big-bank.example will be Big Bank employeees at work with local DNS, but 1% is people who are at home, or off-site or whatever and maybe it doesn't even work without VPN, but someone will click it by accident and so it gets collected.
You could still used a self-signed certificate, you would just need to view the certificate anytime you’re on someone else’s machine to check its validity. And you can always use wildcard certificates to keep hostnames secret.
Just use a secret path, subdomain will always leak via DNS. You can also disable access logs on anything else than the secret path and cut the noise drastically.
Really surprised to see that according to this data, Sectigo issues more than twice as many certificates as DigiCert.
I have the habit of checking the CA for every website I visit, and my impression from that personal survey is that DigiCert is vastly more common than any other CA, except of course Let's Encrypt.
Educause also has a partnership with InCommon that uses Sectigo to issue certs. I work at a relatively small school and we have thousands of certs issued by effectively Sectigo. I'd imagine there's lots and lots of Educause members that are taking advantage of this.
They make the key exchanges much larger for the same level of security, but the implementations are generally much harder to ensure are secure and safe as RSA is fairly susceptible to side channel attacks. The old argument that ECC is slower than RSA also starts to falter as the RSA keys get necessarily larger.
For LetsEncrypt, all renewal requests are done with ACME clients, so this is not a surprise.
I'm curious to know which part of DigiCert and Certigo certificates are actually renewed with an ACME request (both support it).