Jul 6, 2020
2020’s Definitive Free SSL Roundup
Introduction:
If you’re in the business of hosting a website, you’ve probably heard of SSL. Secure Sockets Layer (and its successor, TLS, or Transport Layer Security) technology creates a secure environment for web browsers, clients, and servers. It’s the technology that keeps the data between your site and your users safe from interception and manipulation, and in some cases it’s backed by thousands (or even millions) of dollars in insurance guarantees.
Prior to a few years ago, SSL certificates cost good money — sometimes tens of dollars, sometimes thousands of dollars. To some, they weren’t worth the investment. But, when major browsers like Chrome started to warn users of non-HTTPS webpages, SSL became a much bigger deal for small-time website owners.
So just how expensive is SSL protection in 2020? Well, for most websites, it’s actually free, and it has been since 2016. With the introduction of Let’s Encrypt, a free Certificate Authority backed by some of the world’s largest internet companies, website owners have been able to generate to the tune of over 1 billion SSL certificates as of February 27, 2020.
With that in mind, there are other providers for free SSL certificates that are worth exploring. Many other guides to this sort of thing are monetized or incomplete, meaning they don’t tell the whole story. So, I figured I’d round up all the best Certificate Authorities I could find and list them out here. Without any further ado, let’s begin.
The Best Totally Free SSL Providers:
Let’s Encrypt — No guide to free SSL would be complete without the largest player of the game. Using the ACME protocol, which was developed by the Internet Security Research Group (ISRG) specifically for Let’s Encrypt, Let’s Encrypt is able to automate certificate generation on web servers of any kind.
You can use tools like Certbot to generate and install Let’s Encrypt certificates, which last for 90 days and can include up to 100 host names (or wildcard), on common web servers such as Apache, NGINX, and Caddy (which actually has Let’s Encrypt automation built in), or on platforms such as cPanel through their hosting provider plugin.
And, if you can’t access a command line on your server, or your hosting provider hasn’t enabled some form of access to Let’s Encrypt, you can generate your own certificate through sites like UnoSSL.
Cloudflare — The world’s most popular CDN service, hosting more than 12,000,000 sites as of 2017. When you link your site to Cloudflare, you automatically receive a free SSL certificate for your site and any subdomains you add.
You can choose between one of three SSL settings:
- Flexible — This setting secures connections between a client’s browser and Cloudflare, so proxied domains/subdomains will show up as secure (meaning no insecure warning on browsers like Chrome). However, this setting is actually semi-insecure because it doesn’t actually encrypt data between Cloudflare’s servers and the origin server; read this post on the Cloudflare Community forum for more information. Free web hosting users using modified platforms, such as what you might find on 000webhost, will typically need to use this option.
- Full — This setting secures connections between browsers, Cloudflare, and your origin web server, allowing the web server to go without a trusted SSL certificate (meaning self-signed certificates are O.K.). This option is great for users whose website hosting provider uses cPanel, which (by default) installs self-signed certificates on every new site.
- Full (Strict) — This setting also secures connections between browsers, Cloudflare, and your origin web server. However, it requires that the origin server have a trusted certificate (learn more about the difference here). Luckily, if you can’t obtain one easily, Cloudflare provides trusted origin certificates free of charge (they also last up to 15 years)!
Cloudflare is by far the best Certificate Authority that I’ve tested; I wrote the 000webhost Cloudflare tutorial, helping thousands of 000webhost users enable SSL protection on their custom domains free of charge, and I use Cloudflare for all my sites and SSL needs.
cPanel AutoSSL — cPanel is the biggest website management platform on the web, used by thousands of the biggest web hosting companies to give users near infinite control over their websites. Since 2016, cPanel and Comodo have teamed up to provide users with free SSL certificates on their platform using a technology called AutoSSL.
AutoSSL, powered by cPanel’s Certificate Authority, can be enabled by web hosts and automatically secures any unsecured domains or subdomains on a user’s account. Because it’s powered by Comodo, it’s always trusted in browsers. There are no restrictions on multi-level subdomains or host names per certificate (they’re all generated separately anyway), so cPanel’s AutoSSL is quite possibly the most hassle-free option for cPanel users.
If you’re unable to find this functionality on your cPanel platform, contact your host.
ZeroSSL — Starting out as an issuing service for Let’s Encrypt, ZeroSSL has grown into their own trusted Certificate Authority complete with a RESTful API and the ACME protocol for mass certificate generation and installation.
ZeroSSL is similar to Let’s Encrypt in that free certificates are valid for 90 days, however it has some limits: wildcards cannot be issued for free users, only one domain (2 host names) can be added per certificate, and a maximum of 3 certificates per account are allowed on their Basic (free) plan. You can, of course, upgrade to a Pro (paid) plan to allow for wildcard certificates, longer validity (1 year), and more certificate slots.
You can generate ZeroSSL certificates either through their online dashboard, or through the command line with their custom Certbot wrapper. Generating a ZeroSSL certificate through the command line is similar to Let’s Encrypt, although you need EAB credentials (which must be generated from your account dashboard at ZeroSSL).
I don’t recommend ZeroSSL over Let’s Encrypt unless you’re looking to issue 1-year certificates in bulk using the ACME protocol, in which case you’re looking at a paid plan. Nevertheless, the option exists for free users.
Buypass — Another Let’s Encrypt competitor, Buypass has one key thing going for it: free certificates are valid for 180 days, up from 90. Buypass uses the ACME protocol to generate certificates, similar to Let’s Encrypt and ZeroSSL. And, just like those two, you can generate them easily using Certbot.
A seemingly new face in the SSL game, Buypass’s Go SSL program allows for free certificates valid for 6 months — that’s twice the length of Let’s Encrypt and ZeroSSL. Just like the others, they’re trusted by all major browsers and can be issued via Certbot.
Unfortunately, there are currently no active web clients to generate Buypass Go SSL certificates. To generate a Buypass certificate, use Certbot. The same commands for Certbot with Let’s Encrypt will work, all that needs to be added is the --server 'https://api.buypass.com/acme/directory' flag.
Buypass Go SSL seems to support up to five domains/host names per certificate as per their most recent documentation, but information about this limit is kind of all over the place. Wildcards are not included with Go SSL.
CertCloud — A new competitor, CertCloud’s FreeSSL project is open for business providing 90-day 2-domain certificates (similar to others on this list).
Similarly to Buypass, certificates last for 90 days and can be issued for a root domain and its “www” subdomain. However, there is no ACME protocol available for CertCloud’s FreeSSL (they do have a RESTful API, similar to ZeroSSL, but it’s locked under a premium plan).
CertCloud’s validation system allows for email validation, which is something many free SSL providers don’t offer. Although this option is generally insecure, it’s great for people who, for some reason, don’t have access to hidden portions of their root directory.
TrustAsia Free SSL —TrustAsia’s free SSL certificate generation system (which, just like LE, Buypass, and ZeroSSL, uses ACME) is another viable alternative, primarily targeting Chinese users. The website is Chinese by default, but you can change the language to English.
TrustAsia certificates support only two domains (most users will use WWW and non-WWW for a single domain in this case, no wildcard), but are valid for 1 year! You can sign up to order bulk certificates, and they support DNS and HTTP validation (signing up also changes the language to English for English users, highly recommended).
̶F̶o̶r̶ ̶¥̶1̶ ̶(̶1̶C̶Y̶N̶)̶,̶ ̶y̶o̶u̶ ̶c̶a̶n̶ ̶u̶n̶l̶o̶c̶k̶ ̶a̶c̶c̶e̶s̶s̶ ̶t̶o̶ ̶t̶h̶e̶i̶r̶ ̶A̶C̶M̶E̶ ̶s̶e̶r̶v̶e̶r̶ ̶a̶n̶d̶ ̶u̶s̶e̶ ̶c̶l̶i̶e̶n̶t̶s̶ ̶s̶u̶c̶h̶ ̶a̶s̶ ̶C̶e̶r̶t̶b̶o̶t̶ ̶a̶n̶d̶ ̶a̶c̶m̶e̶.̶s̶h̶.̶ ̶F̶o̶r̶ ̶m̶o̶s̶t̶ ̶p̶e̶o̶p̶l̶e̶,̶ ̶t̶h̶i̶s̶ ̶c̶h̶a̶r̶g̶e̶ ̶i̶s̶ ̶u̶n̶n̶e̶c̶e̶s̶s̶a̶r̶y̶ ̶a̶n̶d̶ ̶y̶o̶u̶ ̶c̶a̶n̶ ̶c̶o̶n̶t̶i̶n̶u̶e̶ ̶u̶s̶i̶n̶g̶ ̶t̶h̶e̶ ̶f̶r̶e̶e̶ ̶g̶e̶n̶e̶r̶a̶t̶o̶r̶ ̶o̶n̶ ̶t̶h̶e̶i̶r̶ ̶h̶o̶m̶e̶p̶a̶g̶e̶.̶
Edit 03/16/21: It appears https://freessl.cn is no longer accepting new signups and is denying logins, which suggests the project may be shutting down or is in the process of being updated. For now, users are still able to generate certificates without logging in.
TRUSTOCEAN Encryption365 Free SSL — TRUSTOCEAN, which appears to be backed by Sectigo, provides free 30-day SSL certificates. They do need to be renewed every 30 days, but it appears they can be renewed infinitely.
TRUSTOCEAN certificates can include up to 100 common names (no wildcard), which makes them a viable alternative to some of the free providers listed above. The caveat is that their site is only available in Chinese, which may prove unideal for many users. Nevertheless, if you can navigate through an unfamiliar language long enough to generate and download a certificate, TRUSTOCEAN is worth checking out.
GoGetSSL Unlimited Trial — Trial SSL certificates typically aren’t your best bet, as they generally can only be generated one time for a given domain. However, GoGetSSL has something going for them; their “trial” can be renewed forever.
Just like Let’s Encrypt and ZeroSSL, these certificates last for 90 days. Unlike LE and ZeroSSL, they can only be issued for one domain at a time. But there seems to be no limit to how many can be issued per account (there is very little technical documentation about the Unlimited Trial), which makes it a viable candidate for website owners.
Similarly to CertCloud’s FreeSSL, GoGetSSL’s PKI validation system also allows for email validation.
Honorable Mentions:
While the providers listed above are, without a doubt, the best options for the general population of small website owners, there are a few remaining options.
CAcert — CAcert was once one of the original free Certificate Authorities, securing thousands of sites before their root certificate was distrusted by major browsers and flavors of Linux. They do still issue certificates for members, and you can still sign up. However, any sites with CAcert certificates installed will show an “untrusted” warning in browsers without the new root certificate installed.
Comodo Free SSL — Comodo is one of the most trusted paid Certificate Authorities on the web, providing all types of certificates for some of the world’s most trusted brands. They offer a 90 day free SSL trial certificate that can be installed on most web servers, the main target being cPanel users. Only one certificate can be generated per domain.
Most other “free trial certificates” are backed by Sectigo (Comodo) or DigiCert, and follow the same feature set as Comodo’s. Generally speaking, if you can obtain one of them, you should look towards the truly free Certificate Authorities instead.
Conclusion:
And that’s it! If you still aren’t convinced that SSL protection is right for you (at the low, low cost of FREE), I’ve got news for you: it’s the global standard for website encryption. Using any of the options outlined above, you can get ahead of the curve and keep your site available to users using modern browsers.
For more information about how to generate Let’s Encrypt, Buypass, and ZeroSSL certificates via ACME through a terminal, checkout this write-up that I helped gather information for.
