Where to get free SSL certificates?
Best way to get SSL certificate for local services for free?
Am I able to get an SSL Certificate for my site without paying extreme prices?
SSL Certificate - Paid v Free?
Do I Need an SSL Certificate?
What exactly is an SSL certificate?
How does an SSL certificate work?
Videos
Factsheet
Mozilla Foundation
University of Michigan
Akamai Technologies
Cisco Systems
Mozilla Foundation
University of Michigan
Akamai Technologies
Cisco Systems
So today I figured out how to install acme.sh to my hosted server space for my websites, and used acme to issue an SSL certificate and install it for a domain. It uses LetsEncrypt, and ZeroSSL for the default Certificate Authority (CA). Then I notice that ZeroSSL only allows a free 90 day certificate, and only 3 of those before you have to pay. Is there any way to generate actual free SSL certificates that do not expire for a year or more and that can be renewed free? I have heard that most hosting plans now provide free SSL certs, so is my hosting company just providing cheap hosting but making money on the backend by charging for SSL certs?
Certificate lifespan
Security
Shorter lifespan is better. Simply because revocation is mostly theoretical, in practice it cannot be relied on (big weakness in the public PKI ecosystem).
Management
Without automation: Longer lifespan is more convenient. LE may not be feasible if you, for whatever reason, cannot automate the certificate management
With automation: Lifespan doesn't matter.
End-user impression
End-users are unlikely to have any idea one way or another.
Level of verification
Security
Letsencrypt provides DV level of verification only.
Buying a cert you get whatever you pay for (starting at DV, with the same level of assertion as with LE).
DV = only domain name control is verified.
OV = owner entity (organization) information is verified in addition.
EV = more thorough version of OV, which has traditionally been awarded with the "green bar" (but the "green bar" appears to be going away soon).
Management
When using LE, the work you put in is setting up the necessary automation (in this context, to prove domain control). How much work that is will depend on your environment.
When buying a cert the DV/OV/EV level will define how much manual work will be required to get the cert. For DV it typically boils down going through a wizard paying and copy/pasting something or clicking something, for OV and EV you can pretty much count on needing to be contacted separately to do additional steps to confirm your identity.
End-user impression
End-users probably recognize the current EV "green bar" (which is going away), other than that they don't tend to actually look at the certificate contents.
Theoretically, though, it is clearly more helpful with a certificate that states information about the controlling entity. But browsers (or other client applications) need to start actually showing this in a useful way before that has any effect for the typical user.
Installation
Security
It is possible to do things incorrectly in ways that expose private keys or similar.
With LE, the provided tooling is set up around reasonable practices.
With a person who knows what they are doing, manual steps can obviously also be done securely.
Management
LE is very much intended to have all processes automated, their service is entirely API-based and the short lifespan also reflects how everything is centered around automation.
When buying a cert, even with a CA that provides APIs to regular customers (not really the norm at this point) it will be difficult to properly automate anything other than DV and with DV you are paying for essentially the same thing that LE provides.
If you are going for OV or EV levels, you can probably only partially automate the process.
End-user impression
If the installation is done correctly, the end-user will obviously not know how it was done. The chances of messing things up (eg, forgetting to renew or doing the installation incorrectly when renewing) are less with an automated process.
Overall
Traditional means of buying certs are particularly useful if you desire OV/EV certs, are not automating certificate management or want certs used in some other context than HTTPS.
From a purely technical perspective:
- The fact that the certificates are only valid for 3 months. Can be a nuisance to maintain depending on your change management procedures and infrastructure.
- The purpose of Let's Encrypt certificates is limited. You can't use them for your email, code signing or timestamping.
Check with:openssl x509 -in cert.pem -noout -textX509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
From an end-user perspective:
- The lack of Extended Validation means "no green bar" in certain webbrowsers.
- However, Chrome will be phasing out the green bar in September 2018 in favor of a small lock icon and eventually no special indicator and will instead only show warnings for insecure pages.