You’ve no doubt heard about HTTPS. Or someone has told you that you should get an SSL certificate for your website. It’s difficult to avoid the subject these days.
If you’ve been putting it off—and let’s face it, many of us have—it’s time to take a serious look at getting an SSL certificate for your website. But to give you some incentive, I’ll show you how to get a free SSL certificate.
Soon it won’t be possible to avoid using HTTPS. Google and other web browsers are essentially forcing the change by labeling sites not using SSL as insecure. Many will display other warnings related to HTTPS encryption.
In the past SSL certificates have been a considerable an added expense. But today, there are free options to protect your website the same way a paid certificate does.
I imagine that some of the more technically-minded among you are talking to your screens right about now. You might be saying modern web servers no lonbger use the SSL (Secure Socket Layer) protocol.
You are correct. The TLS (Transport Layer Security) protocol has replaced SSL for most uses. But the hosting industry, and the web in general, still refer to the certificates as “SSL certificates.”
So that’s how I’m going to refer to them here.
SSL certificates are necessary if you do any financial transactions on your website. It also helps if you want to encrypt traffic for any reason and make your site available via HTTPS, such as https://example.com.
If you go back to that URL without the HTTPS prefix (http://example.com), you’ll see that there’s no security “lock” displayed in your browser. Google Chrome goes so far as to label the URL “Not secure” in the address bar.
What Is an SSL Certificate, Anyway?
The SSL certificate itself is simply a text file installed on a web server. The information in the certificate lets the browser know that the domain name listed in the certificate matches the domain name of the site. When the match has confirmation, the visitor’s browser can make a secure connection.
The secure connection allows traffic between the website and the visitor to be encrypted. This is so no third-party can eavesdrop on the connection.
So it’s probably obvious why you would want that kind of security for financial transactions made on the web. But why encrypt “regular” traffic?
A great deal of private data is passed between websites and visitor’s browsers any time a form is filled out or a user logs in. Those usernames, passwords and other personal data are exactly what the bad guys are looking for.
Encrypting the connection protects the data. It makes it impossible for anyone but the visitor and the website to see any of the data exchanged during the visit.
The only way that encryption can happen is with an SSL certificate and an HTTPS connection.
An SSL certificate also helps protect your site against third parties collecting or aggregating your visitor’s behavior. They can do this by using cookies or other tracking devices. However, SSL/HTTPS alone cannot completely prevent third-party tracking.
But perhaps the most compelling reason to use an SSL certificate on your website is the fact that without it your site will be labeled “Not secure,” by the most widely used web browsers. And that’s not a message any of us want to send to our visitors.
How to Get a Free SSL Certificate
Many companies will provide free certificates to specific groups or individuals, such as open source software projects or Microsoft MVPs. But in this article, I will focus on free SSL certificates that anyone can get.
Before we get into where to get a free certificate, let’s take a moment to look at the different kinds of SSL certificates that are available. There are primarily three categories that certificates fall: Domain Validated, Organization Validated, and Extended Validation.
Each type of certificate provides encryption, HTTPS and the browser padlock icon, regardless of their cost. The differences are in the way the certificate owner is validated or verified.
- Domain Validated certificates are issued when you can prove that you own the domain. The verification process is usually completed by email and only takes a few minutes.
- Organization Validated certificates validate that a domain belongs to a registered business. This is a manual process that can take several days to complete. An Organization Validated certificate is required to get a security seal. When a visitor clicks a security seal, valid company information is available.
- Extended Validation certificates validate that a domain belongs to a registered business as well as providing a more extensive manual validation of financial and business information. Extended Validation certificates used to have the benefit of changing the visual appearance of the browser address bar. So the certificate would turn it green or display the company in green. But many web browsers no longer give Extended Validation certificates the green treatment. So their significantly higher cost and increased verification scrutiny are becoming less justifiable.
Should You Look for a Warranty?
Many paid certificates also include a warranty. Though, certificate authorities are vague about what sort of incidents those warranties potentially cover.
I couldn’t find a single example or mention of anyone collecting any settlement from an SSL certificate warranty. With that in mind, the fact that none of the free SSL certificates we’re going to talk about offer warranties shouldn’t be an issue.
Finally, obtaining a certificate and installing it are two different things, but they are usually related. Check with your web host before venturing out to get a certificate. They may be able to assist.
You will often need a Certificate Signing Request (CSR) to get a certificate from any of the providers listed below. The CSR is generated on the web server where the certificate is placed.
6 Free SSL Certificate Providers
Let’s Encrypt
40% of the SSL certificates in use today are the result of using Let’s Encrypt. Let’s Encrypt is the first project of the non-profit Internet Security Research Group. ISRG is funded by Google Chrome, Mozilla, the Electronic Frontier Foundation, Cisco and several web hosting companies. Before going through the tall weeds installation, check with your web host about Let’s Encrypt. Many of them will do the installation and renewal for you. Let’s Encrypt certificates are valid for 90 days.
SSL For Free
SSL For Free is more or less a “wrapper” around the Let’s Encrypt service, but it makes the process of getting an SSL certificate relatively easy. And, it does not use email verification. They verify via a file uploaded to your site, or the addition of a DNS text record. All-in-all, this may be the easiest path to a free SSL certificate.
CAcert
CAcert Free Certificate Authority is a non-profit organization that has been issuing certificates since 2003. Obtaining a certificate from CAcert is free, but not easy. If you want a CAcert, you have to meet with a CAcert volunteer in the actual physical world to verify or review your identity documents. Certificates expire every 6, 12 or 24 months.
To renew a certificate, you get to meet with a CAcert volunteer again. If it sounds somewhat inconvenient and intrusive, it is. But they’re in the list because they are one of the only genuinely free SSL certificate issuers.
Sectigo (formerly known as Comodo)
Sectigo has been issuing certificates for a long time under their former name, Comodo. The company’s “free” certificates are valid for 90 days. After 90 days, you have to start the process again or pay Sectigo for a certificate.
SSL.com
Not technically a free but more of a free trial, SSL.com offers a 90-day certificate. Like Sectigo, after 90 days you have to start the process again or pay SSL.com for a certificate.
Cloudflare
Cloudflare is a security company and a CDN, not an SSL certificate issuer. But they’re on the list because if you use the Cloudflare service, you can set up SSL for free. It’s a nice feature, but only if you’re a Cloudflare customer.
Many other certificate companies will issue you a free certificate for a limited period. But most of them are valid for less than 90 days. Since they are very short term trials for paid products, I did not include them in the list.
A Free SSL Certificate Is Not the Answer for Every Website
This article is all about how to get a free SSL certificate. However, there are situations where a free certificate may not be the right fit.
For example, if you want to display a security seal on your e-commerce site, a free certificate won’t do the trick. Most free SSL certificates are “Domain Validated,” so they cannot offer a security seal.
Another potential problem area for free certificates is the length of time that the certificate is valid. Paid certificates are valid for at least one year. Many free certificates, including the most popular, Let’s Encrypt, are only valid for 90 days.
Some website hosting companies offer free cert renewal automation, so the limited validity window is not an issue. But if you manage your own server or VPS and have to renew your SSL certificates every 90 days manually, the time saved by using a paid certificate may more than offset its cost.
And as you can see by our list, there are very few companies that will issue a truly free SSL certificate. But the process is more manageable, and millions of new certificates issued every day.
I hope this article has answered your questions about free SSL certificates. Let me know in the comments, and thanks for reading.