Sectigo

What Is Sectigo?

The SSL/TLS certificate market has undergone a fundamental transformation over the past decade. Let's Encrypt, launched in 2016 by the Internet Security Research Group, made basic domain validation certificates free and automated. That single change disrupted a multi-billion-dollar industry overnight and forced every commercial certificate authority to justify their continued existence. Today, Let's Encrypt secures over 300 million websites. The question for any commercial CA is: what value do we provide that free does not?

Sectigo -- formerly Comodo CA, rebranded in 2018 -- is the world's largest commercial certificate authority by volume, and its answer to that question is scope. Yes, Let's Encrypt handles DV certificates elegantly. But the broader certificate landscape includes Organisation Validation (OV) certificates that verify company identity, Extended Validation (EV) certificates that require thorough organisational vetting, code signing certificates, S/MIME email certificates, and the increasingly critical challenge of managing thousands of certificates across a large enterprise.

Founded in 1998 and headquartered in Salford, United Kingdom, Sectigo has evolved from a pure certificate issuer into a certificate lifecycle management platform. Sectigo Certificate Manager (SCM) handles discovery, issuance, renewal, and revocation across entire certificate estates, supporting multiple CAs and automated workflows. For enterprises managing hundreds or thousands of certificates across diverse infrastructure, this management layer is where Sectigo creates value that free CAs cannot match.

Key Features

Full Certificate Product Range

Sectigo offers the broadest range of certificate products of any commercial CA. DV certificates provide basic encryption and can be issued in minutes. OV certificates add verified organisation identity, important for businesses that want customers to verify who operates the website. EV certificates require the most thorough validation -- legal entity verification, physical address confirmation, operational checks -- and provide the highest level of trust assurance.

Beyond web certificates, Sectigo issues code signing certificates (critical for software publishers who need to sign executables), S/MIME certificates (for encrypted and signed email), and document signing certificates. This breadth means organisations can consolidate their entire certificate portfolio with a single provider.

Sectigo Certificate Manager (SCM)

SCM is Sectigo's enterprise crown jewel. Modern organisations can have thousands of certificates across web servers, load balancers, cloud services, internal applications, and IoT devices. Managing these manually -- tracking expiry dates, handling renewals, maintaining compliance -- is operationally unsustainable.

SCM automates the entire lifecycle. It discovers certificates across your infrastructure (including ones you did not know about), tracks their status and expiry, handles automated renewal via ACME or API, and provides centralised dashboards for compliance reporting. Critically, SCM is multi-CA: it can manage certificates from Sectigo, Let's Encrypt, and other issuers in a single platform. This vendor-agnostic approach makes it useful even for organisations that primarily use free certificates but need management oversight.

ACME Protocol Support

Sectigo's ACME support brings Let's Encrypt-style automation to paid certificates. Using standard ACME clients like Certbot, organisations can automate the issuance and renewal of Sectigo DV, OV, and even EV certificates (with pre-completed validation). This eliminates the manual renewal processes that cause the certificate expiry outages that regularly make headlines.

IoT Device Identity

As IoT deployments scale, the challenge of device identity and authentication becomes critical. Sectigo's IoT identity platform provides certificate-based device authentication, enabling organisations to verify and manage the identity of connected devices at scale. This is particularly relevant for industrial IoT, healthcare devices, and automotive applications where device integrity has safety implications.

Post-Quantum Readiness

Quantum computing threatens to break current public-key cryptography. Sectigo has been actively investing in post-quantum cryptography readiness, participating in NIST's post-quantum standardisation process and developing hybrid certificates that combine classical and quantum-resistant algorithms. For organisations planning long-term cryptographic strategy, Sectigo's early investment in PQC is a relevant differentiator.

Pricing

Sectigo's pricing varies significantly by certificate type and purchase channel. Direct pricing for a basic single-domain DV certificate starts at approximately EUR 10/year -- cheap, but not free like Let's Encrypt. OV certificates run around EUR 80/year, and EV certificates approximately EUR 170/year.

The real pricing question is whether those premiums are justified. For DV certificates used on basic websites, Let's Encrypt is genuinely sufficient and the cost argument for Sectigo DV is weak. For OV and EV certificates, Sectigo offers competitive pricing against DigiCert, which typically charges significantly more for equivalent products.

Sectigo Certificate Manager pricing is enterprise and quote-based, scaling with the number of managed certificates. For organisations managing large certificate estates, SCM can reduce operational costs by eliminating manual renewal processes and preventing costly certificate expiry outages. The ROI calculation depends heavily on the size of your certificate estate and the operational cost of your current management approach.

Volume discounts, reseller pricing, and multi-year contracts add complexity. Sectigo's pricing page can be confusing, with many overlapping certificate types and optional add-ons. Budget-conscious buyers should compare total cost carefully, including any management platform fees.

EU Compliance & Data Privacy

Sectigo's compliance position requires nuance. The company is UK-based, which post-Brexit means it operates under UK GDPR rather than EU GDPR. As of 2026, the EU maintains an adequacy decision for the UK, meaning UK data protection is considered equivalent to EU standards. However, this adequacy decision is subject to periodic review and could theoretically be withdrawn.

On the positive side, Sectigo maintains eIDAS qualified trust service status, which is the EU's framework for electronic identification and trust services. This means Sectigo certificates are recognised under EU law for electronic signatures and trust services. The company also holds SOC 2 Type II certification and undergoes regular WebTrust audits, which are the industry standard for certificate authority operations.

For organisations that strictly require EU-jurisdictional services, the UK location is a consideration but not a disqualification. The eIDAS status and WebTrust audits provide the compliance framework that matters most for certificate services specifically.

Who It's Best For

Enterprise IT teams managing large certificate estates where automated lifecycle management is a genuine operational need. Sectigo Certificate Manager addresses this at scale, and the multi-CA support means it adds value even alongside Let's Encrypt.

Organisations needing OV or EV certificates for customer-facing websites, financial services portals, or applications where organisational identity verification matters. Let's Encrypt does not offer these validation levels.

Software publishers requiring code signing certificates to sign executables and establish publisher identity. This is a specialised need that free CAs do not serve.

IoT deployments requiring scalable device identity and certificate-based authentication. Sectigo's IoT identity platform addresses a growing market need.

The Verdict

Sectigo occupies a challenging market position: the world's largest commercial CA in an era where the most common certificate type is available for free. The company has responded intelligently by pivoting toward lifecycle management, enterprise PKI, and specialised certificate types that free alternatives do not cover. Sectigo Certificate Manager is a genuinely useful platform for organisations with complex certificate estates. The pricing is competitive against DigiCert for OV and EV, and the ACME support brings modern automation to paid certificates. The UK jurisdiction is a minor complication for EU-only procurement policies, but the eIDAS qualification and adequacy decision mitigate this. For basic DV needs, Let's Encrypt wins on cost. For everything else, Sectigo makes a credible case.

Frequently Asked Questions

Is Sectigo a trusted certificate authority?

Yes. Sectigo is the world's largest commercial certificate authority, trusted by all major browsers and operating systems. The company undergoes regular WebTrust audits and complies with CA/Browser Forum requirements. Sectigo root certificates are embedded in virtually every browser and device.

How does Sectigo compare to Let's Encrypt?

Let's Encrypt provides free DV certificates with 90-day validity. Sectigo offers DV, OV, and EV certificates with up to 1-year validity, plus organisational vetting, warranty coverage, and enterprise certificate management. For basic DV needs, Let's Encrypt is sufficient. For OV/EV or enterprise management, Sectigo adds value.

What is Sectigo Certificate Manager?

Sectigo Certificate Manager (SCM) is an enterprise platform for automated certificate lifecycle management. It handles discovery, issuance, renewal, and revocation across your entire certificate estate. It supports multiple CAs, integrates with ACME, and provides centralised visibility over all certificates.

Does Sectigo support ACME protocol?

Yes. Sectigo supports the ACME protocol for automated certificate issuance and renewal. This allows integration with tools like Certbot and enables automated workflows similar to Let's Encrypt but with the option of OV and EV certificates.

Is Sectigo GDPR compliant?

Sectigo is UK-based (post-Brexit), so it operates under UK GDPR rather than EU GDPR. However, the company maintains eIDAS qualified trust service status, undergoes SOC 2 Type II audits, and the UK's data protection framework is currently recognised as adequate by the EU.