Buypass

What Is Buypass?

Before Let's Encrypt launched in 2015, free SSL certificates simply did not exist at scale. Buypass, founded in Oslo in 2001, built its reputation the old-fashioned way — as a trusted Norwegian CA serving banks, government agencies, and enterprise clients who needed commercial-grade certificates with Nordic regulatory compliance.

When the free SSL era arrived, Buypass adapted rather than retreated. In 2019, it launched Buypass Go SSL: a free Domain Validated certificate service using the ACME protocol, compatible with the same clients (Certbot, acme.sh, Caddy) that drive Let's Encrypt adoption. The key differentiator was certificate lifetime. Buypass Go SSL issues certificates valid for 180 days, compared to Let's Encrypt's 90-day limit. Fewer renewal cycles, same zero cost.

This history shapes what Buypass is today: a dual-track CA that competes directly with Let's Encrypt on free certificates while maintaining a commercial portfolio for organisations that need OV, EV, or identity-backed signing services. The Norwegian heritage adds a third dimension — Buypass operates the infrastructure behind Norwegian BankID, the electronic identity system used by virtually every Norwegian for banking, tax, and government transactions.

That BankID relationship gives Buypass a credibility in regulated sectors that pure-play CAs cannot easily replicate. It also means Buypass has engineering depth in high-assurance identity that extends well beyond issuing SSL certificates.

Norway is an EEA member state, not an EU member. For most practical purposes this distinction is immaterial — Norway applies GDPR via the EEA Agreement, and Buypass data stays within EEA territory. For organisations whose compliance frameworks specifically require EU member state hosting (not merely EEA), this is worth checking against your legal team.

Key Features

Buypass Go SSL — Free Certificates via ACME

The free certificate service is Buypass's most used product by volume. Buypass Go SSL issues DV certificates using ACME v2, compatible with the full ecosystem of ACME clients. Setup with Certbot or acme.sh looks identical to Let's Encrypt configuration — just point the CA URL at Buypass's endpoint.

The 180-day validity is a genuine advantage. Let's Encrypt's 90-day certificates require more frequent renewals, and while automation handles this in most setups, the longer window provides a safety buffer if automation breaks. If your Certbot cron job fails silently, you have three months to notice with Buypass versus six weeks with Let's Encrypt.

The trust chain is entirely separate from Let's Encrypt. This matters for redundancy planning: if Let's Encrypt's OCSP infrastructure experiences issues (as it occasionally does at scale), Buypass certificates are unaffected. Operating both in parallel across different services is a legitimate high-availability strategy.

Commercial OV and EV Certificates

For organisations that need identity verification beyond domain control, Buypass issues OV and EV certificates through its commercial programme. OV certificates verify the legal entity operating the domain; EV certificates apply the most rigorous identity checks and provide the strongest trust indicator in enterprise browser deployments.

Pricing sits above budget providers like Certum but below DigiCert and Sectigo. The trade-off is a CA relationship with a long track record in regulated Nordic sectors and an EEA-compliant trust chain.

Norwegian BankID and eID Services

This is where Buypass's offering diverges most sharply from other CAs. BankID is Norway's national electronic identity system: over 4.5 million Norwegians use it to authenticate with their bank, file taxes, sign contracts, and access government services. Buypass is one of the two companies that operate the BankID infrastructure.

For Norwegian businesses, this means Buypass can provide a unified supplier relationship covering both SSL certificates and the eID infrastructure that underpins online authentication. For international businesses operating in the Norwegian market, Buypass's BankID expertise is effectively irreplaceable.

ACME Ecosystem Compatibility

Buypass Go SSL works with the mature ecosystem of ACME clients that has grown up around Let's Encrypt. Certbot, acme.sh, Caddy's built-in ACME client, Traefik, and Nginx's ACME support all work with Buypass endpoints by changing the CA URL in configuration. There is no proprietary client requirement, no vendor lock-in, and no registration needed for the free tier.

Wildcard and Multi-Domain Certificates

Buypass offers wildcard certificates — covering all subdomains of a domain with a single certificate — through both the free and commercial tiers. Multi-domain (SAN) certificates bundle multiple different domains into one certificate, reducing management overhead for organisations operating many hostnames.

Pricing

Buypass Go SSL is free. Zero. No account required for automated ACME issuance. Certificates renew automatically via any standard ACME client.

Commercial certificates start around EUR 15/month for OV and EUR 30/month for EV, billed annually. These prices are mid-market for European CAs — higher than Certum's highly competitive Polish pricing, lower than DigiCert's premium positioning.

The absence of a single-year short-term option at low price points makes Buypass slightly less convenient for one-off projects than some alternatives. Multi-year commitments get better rates. Enterprise and volume pricing for the commercial tier requires direct contact with Buypass's sales team.

For the free tier, the cost is genuinely zero — but the support model is community-based. There is no Buypass support ticket for Buypass Go SSL issues; you rely on the ACME client community documentation.

EU Compliance & Privacy

Norway's EEA membership means GDPR applies in full to Buypass. The company processes all data within Norway and does not transfer certificate data outside the EEA. For the vast majority of GDPR compliance scenarios, EEA jurisdiction is functionally equivalent to EU member state jurisdiction.

Buypass holds WebTrust for CAs certification and complies with ETSI EN 319 411, the European standard for certificate authorities. These audits are conducted annually. Root certificates are trusted in all major browsers, operating systems, and mobile platforms.

The BankID operation adds a layer of regulatory scrutiny beyond what most CAs face — Norwegian financial regulators oversee BankID infrastructure, meaning Buypass operates under both CA/Browser Forum requirements and Norwegian financial sector oversight.

One nuance to verify: certain EU procurement frameworks explicitly list EU member states only, not EEA members. Norway's non-EU status can occasionally create supplier eligibility questions in public sector procurement contexts. In commercial settings, this is generally irrelevant.

Who It's Best For

Developers and sysadmins wanting a free European alternative to Let's Encrypt with longer certificate validity. Buypass Go SSL fits directly into existing ACME workflows with no configuration complexity.

High-availability infrastructure teams who want free certificate redundancy across two separate CAs. Running Let's Encrypt on some services and Buypass on others provides resilience against CA-specific outages or rate limit issues.

Norwegian businesses that need both SSL certificates and BankID integration from a single trusted supplier with deep local regulatory expertise.

EEA-focused organisations needing commercial OV or EV certificates from a well-established Nordic CA with EEA compliance as a structural property.

The Verdict

Buypass's dual-track model works. The free ACME tier is a legitimate European alternative to Let's Encrypt, with the practical advantage of 180-day certificate validity. The commercial tier lacks the pricing aggression of Certum and the tooling depth of DigiCert, but provides a solid OV and EV option for organisations that value the Norwegian regulatory track record and EEA-compliant trust chain. The BankID heritage gives Buypass an identity services capability that no comparable CA can match in the Nordic market.

Frequently Asked Questions

Is Buypass Go SSL a genuine free alternative to Let's Encrypt?

Yes. Buypass Go SSL issues free Domain Validated certificates via ACME v2, compatible with Certbot, acme.sh, and other standard ACME clients. Certificates are valid for 180 days — twice Let's Encrypt's 90-day limit. The trust chain is separate, making Buypass useful as a redundant CA alongside Let's Encrypt.

Is Buypass GDPR compliant?

Yes. Norway is an EEA member and applies GDPR through the EEA Agreement. All Buypass data and certificate operations are processed in Norway. For most compliance scenarios, EEA jurisdiction is functionally equivalent to EU member state jurisdiction.

How does Buypass compare to Let's Encrypt?

Both offer free DV certificates via ACME. Buypass certificates have 180-day validity versus Let's Encrypt's 90 days. Let's Encrypt has a much larger community, broader integrations, and more documentation. Buypass is valuable as a backup CA and also offers OV and EV certificates that Let's Encrypt does not provide.

Does Buypass support eID authentication?

Yes. Buypass operates Norwegian BankID infrastructure, providing high-assurance digital identity for banking, government, and regulated sectors. These services extend beyond SSL certificates into full digital identity infrastructure for the Norwegian market.

Where is Buypass data processed?

All Buypass data and certificate operations are processed in Norway, an EEA member state. No data leaves the European Economic Area.