No catch. The 90 day policy is there for security purposes, to continually force refreshing new certificates. It's also there to force the use of automation; that way there's little continual maintenance required.

Also, they do domain validation only. That's perfectly good for most people. Extended Validation certificates, where the certificate issuer actually verifies your identity (And not just that you control that domain) cost a LOT more money but usually only certain entities need that.

Otherwise these certificates are essentially as good as the ones you'd pay good money for.