Free SSL/TLS Certificates

So far, I see 3 ways to get free SSL certificates.

CAcert.org

As of March 2nd, 2016, https://www.cacert.org/ produces the error “This certificate was signed by an untrusted issuer”. Chrome’s Security Overview states “There are issues with the site’s certificate chain (net::ERR_CERT_AUTHORITY_INVALID).”.

Conclusion: ccert.org is not a good option.

StartSSL™ Certificates & Public Key Infrastructure

I haven’t looked very closely, as I’m more interested in LetsEncrypt right now.

Well, I used this experimentally to create a cert that I didn’t really need. But I installed the cert anyway (in place of a wildcard cert), and it works perfectly. It’s an internal app, and not high traffic. Haven’t seen any problems with the cert over the last couple days.

Let’s Encrypt - Free SSL/TLS Certificates

LetsEncrypt has significant public backing right now, and I think that goes a long way to ensuring its near-future reliability.

LetsEncrypt apparently allows up to 100 domain names on each certificate. This makes it especially attractive for our internal app and all the alternate and subdomains that 3rd parties use to communicate with the app.

Let’s Encrypt does have rate limits, but they appear to address certificate create rather than limits on client traffic for certificate validation. See Rate Limits for Let’s Encrypt.

A guide, some client scripts (because the official client may not be ideal), and a more comprehensive list of available clients:

• Getting Started - Let’s Encrypt - Free SSL/TLS Certificates
• Let’s Encrypt Clients – Simon Josefsson’s blog
• diafygi/letsencrypt-nosudo: Free HTTPS certificates without having to trust the letsencrypt cli with sudo/root
• diafygi/acme-tiny: A tiny script to issue and renew TLS certs from Let’s Encrypt
• List of Client Implementations - Documentation - Let’s Encrypt Community Support

And one more source for free ssl/tls certs I’ve come across from a Chinese company.

WoSign Free SSL Certificates