Contents
FREE SSL Certificate Wizard.
This tool helps you to obtain SSL certificates for your website. They are issued by Let’s Encrypt Certificate Authority and they are absolutely free. The renewals are also free and unlimited. Issued certificates are supported by all major browsers and operating systems.
The certificates are of Domain Validated (DV) type. That means you will only need to confirm your ownership of the domain name. The confirmation process is very simple and there are two options to choose from DNS verification and HTTP verification. The former requires creating a specific DNS record of TXT type for the domain. The latter requires creating a plain text file with a specific content on your web server. Choose the option you are most comfortable with – normally all registrars provide a way to edit DNS records, but you might like creating a text file better. DNS verification also might take a bit longer depending on how quickly your registrar’s servers publish the changes (usually within 15-20 minutes), while HTTP verification can be instant.
The certificates are initially valid for 90 days and then can be renewed again and again (also at no cost). Please consider entering your email when using our FREE SSL Certificate Wizard for the first time and registering a new key – that will give you a way to restore your key if you lose access and will provide notifications from Let’s Encrypt about certificate expirations. Please note that we do NOT collect or store your email – it gets directly submitted by your browser to Let’s Encrypt via HTTPS-secured link shall you decide to enter it. If you don’t want expiration reminders to be sent, you can leave it blank.
Our service is fully automated. All the keys, regardless of whether entered or generated on site, are only used by your browser to sign appropriate messages while directly communicating with Let’s Encrypt API servers over an encrypted connection. The CSR (Certificate Signing Request) is also sent directly by your browser to Let’s Encrypt Certificate Authority. Finally, the certificate is also downloaded by your browser directly from Let’s Encrypt via an encrypted connection. None of this information is ever seen by our servers.
How to use
The FREE SSL Certificate Wizard is making the whole process of getting SSL certificate quick, straightforward and easy to understand. It has minimum fields to fill and just 3 steps – “Details”, “Verification” and “Certificate”, which should be easy to go through even if you do not have any technical knowledge about SSL and how keys and CSRs are created.
The “Details” screen
- “Email” – Enter it if you want to receive notifications about domain expirations and also for the purpose of being able to restore access to your account if you ever lose your Let’s Encrypt key. Please note that if you are using an already registered Let’s Encrypt key, then email will be ignored. This field is optional and can be left blank.
- “Let’s Encrypt key” – You can either use an existing key or leave this area blank to generate a new 4096 bits key for you. Please note that regardless of whether the key is created or entered, it never leaves your browser and it is only used by your browser to sign the messages exchanged between itself and Let’s Encrypt API servers over an encrypted connection.
- “Domains” – Enter the domain or the list of domains the certificate should be issued for (separated by either whitespaces or commas). Please note that this field is only needed if you are not using the “CSR” area, in which case the domain names will be read from the CSR. If “Domains” is used, then on clicking “Next” your CSR will be created and put into text area below, while the “Domains” list will be cleared.
- “CSR” – This area is used when you already have the CSR (Certificate Signing Request), in which case the “Domains” field should be left blank. It also gets populated with a generated Certificate Signing Request if you leave it blank.
- “Verification” – you can choose between “HTTP” and “DNS” verification types. Choose “HTTP” if you want to verify your domain ownership by creating a text file on your server. Choose “DNS” if you want to verify your domain ownership by creating a TXT record in your DNS (for example if you cannot create a file on your site or your site does not exist yet, but you can edit the DNS records of your domain).
Please note that if a key or a CSR has been generated, then clicking “Next” will not let you move to the next screen until you either download or copy newly created key/CSR (you can use appropriate buttons in the top right corner of each text area).
Also note that if CSR is generated for you, it will be based on a new automatically generated 4096 bits key. If you prefer CSR to be based on your existing key (for example generated with openssl command line), then you should use the “CSR Generator” first and then paste created CSR into the appropriate field of SSL Certificate Wizard.
Important: If you don’t have a CSR and you need your certificate for some AWS service (such as API Gateway or CloudFront), then use our “CSR Generator” first and choose 2048 bits – after that use created CSR with SSL Certificate Wizard. This is due to the limitations regarding the maximum key size for AWS services.
The “Verification” screen
This screen does not require you to enter anything. It shows what needs to be done to prove your domain ownership. If you are using HTTP verification, then for each domain on your certificate you will be given a name and the content of the file to be created. Each name is also a link, so after you have created a file, you can click that link to make sure that the file is actually accessible and the content of it is what it should be. If you are using DNS verification, then you will be given a name for the DNS TXT record and its value. It will also show you how to check that your DNS changes became “visible”.
After creating a file or making DNS changes (and making sure those are visible) you can click “Next”. If everything is done right, you will be moved to the final screen (“Certificate”). If any error happens, then you will see verification results for those domains which have failed verification. After reading the results, click “Next” for the “Verification” screen to be displayed again with the new values for the domains which have failed. There will be no need to re-do those domains on your list which have succeeded verification.
The “Certificate” screen
This is the final screen of the wizard. You will have your certificate on it, which you should either download or copy. The certificate contains both your domain certificate and the issuer’s certificate. If for some reason issuer’s certificate could not be retrieved, you will see a proper warning. If you had your CSR generated, then you will also see your domain key here. It is important to download or copy it too – your certificate will not work without it. If you used an existing CSR on the “Details” screen, then there will be no domain key shown, since you should already have it. Please note that the domain key is not (and should not be) the same as your “Let’s Encrypt key”.
For the renewal just repeat the process but use your previously created Let’s Encrypt key and CSR on the “Details” screen. Please note that you do not need to use your domain key during the renewal. Also note that when you are using previously created (or created elsewhere) CSR, the last step will only have the certificate file shown but not the corresponding domain key – that key will just be the same as when you created your CSR.
Self-Signed Certificate Generator.
This tool allows you to generate a self-signed SSL certificate with 2048 bits key in one click. Those certificates are not trusted by browsers (unless you add them as such), but they are useful for testing and internal use.
How to use
You can enter the domain names, IP addresses (both v4 and v6 can be used), URIs or emails into the appropriate fields. Use whitespaces or commas as separators for multiple entries. Then just click the “Generate” button and your key and certificate will be created for you. The validity of the certificate is set to 1 year.
Please note that those are NOT trusted certificates and they should not be used for public web sites. If you are looking for actual trusted certificates – use our FREE SSL Certificate Wizard instead.
START SELF-SIGNED CERTIFICATE GENERATOR
CSR Generator.
This tool allows you to generate Certificate Signing Requests. It can also produce an appropriate RSA Key of 4096 or 2048 bits or you may use your existing key, for example, created with “OpenSSL” command.
How to use
You will need to enter the domain names you want on your Certificate Signing Request. You can separate them with either whitespaces or commas. The CSR Generator respects the order in which the domains are listed, so the first domain will go to the Subject field. If there’s more than one domain name, then they go into the SubjectAltNames field in the listed order. Wildcards are allowed.
You can also choose to edit pre-filled “Organization”, “Organizational Unit”, “City/Locality”, “State/Province” and “Country”. Those fields are ignored by Let’s Encrypt, but you may need them if you are creating your CSR to use it somewhere else.
You can generate your CSR either based on an existing key, in which case you need to paste it into the area on the left, or on a generated key (in which case you should just leave that area blank). If the key is not entered, then a new 4096 or 2048 bits key (depending on what you have selected) will be automatically generated with the CSR and you will be able to download or copy them to clipboard, using the appropriate buttons in the top right corner of each text area. Please note that all necessary calculations are done in your browser, so it might take a bit to create a long key – on a 5-years old PC it could take up to a minute to create a 4096 bits key.
Note: If you are creating a CSR to get certificates for some AWS service (such as API Gateway or CloudFront), then choose 2048 bits instead of the default 4096 bits. This is due to the limitations regarding the maximum key size for AWS services.
Browser compatibility notes
We did our best to make the site and the service compatible with all the most popular modern browsers. However, there are some interface features that might not be available in certain browsers. In particular:
- The “Download” button will not be working/available for the users of MSIE v11 and earlier versions and the users of Safari.
- Users of MSIE might see a popup regarding the clipboard while using the “Copy to clipboard” button. They can either allow clipboard access to have the button working and copying the data into your clipboard or they can manually copy the textarea content using the Ctrl-C keyboard combination or mouse.
If you are using a “Copy to clipboard” function, always make sure that you have copied the data by pasting it somewhere safe before leaving the page!
If you are annoyed by the MSIE clipboard prompt, you can always turn it off by disabling it in Internet Options> Security> Internet zone> Custom Level> Allow programmatic clipboard access.
Offline Client and Library.
We also have an offline ZeroSSL client (le.pl), which can be installed on your own server or another computer where Perl language interpreter is available. Perl is usually installed on most Linux systems and the package works well on many OS and Perl versions. Linux, FreeBSD, NetBSD, Mac OS X, and Windows are supported. ZeroSSL client will allow you to get SSL certificates on your own server with a single command. The functionality of a client can be easily extended with external Perl modules. The package also includes a development library, which you can use to automate the process in any way you like or even create your own client application.
