S
SSL Certificate Expiry

How to Get an SSL Certificate (Free and Paid Options)

How to get an SSL certificate for your website: free options like Let's Encrypt and Cloudflare, paid DV/OV/EV certificates, the CSR and validation process, and choosing the right option.

Every website needs an SSL certificate. Without one, browsers show "Not Secure" warnings, search engines penalize your rankings, and any data your visitors submit travels across the internet unencrypted. The good news is that getting a certificate is straightforward, and for most websites, it is free.

This guide covers every common way to get an SSL certificate, from fully automated free options to paid certificates with organization validation. For a deeper understanding of how SSL/TLS works under the hood, see our SSL/TLS guide.

Free SSL Certificates

For the vast majority of websites, a free certificate provides the exact same encryption as a $200/year paid certificate. The padlock in the browser looks identical. The encryption strength is identical. The difference is in what the certificate says about your organization, not in how it protects data in transit.

Let's Encrypt

Let's Encrypt is the largest free certificate authority in the world, issuing certificates for over 300 million websites. It is run by the Internet Security Research Group (ISRG), a nonprofit backed by major tech companies.

How to get a certificate with Let's Encrypt:

  1. Install an ACME client on your server. Certbot is the most popular choice.
  2. Run the client and tell it which domain(s) you need a certificate for.
  3. The client automatically proves you control the domain (via an HTTP challenge or DNS challenge).
  4. Let's Encrypt issues the certificate and the client installs it.

On an Ubuntu server with Nginx, the whole process looks like this:

# Install Certbot
sudo apt install certbot python3-certbot-nginx

# Get and install the certificate
sudo certbot --nginx -d example.com -d www.example.com

# Certbot configures Nginx automatically and sets up renewal

Certbot also sets up automatic renewal via a cron job or systemd timer. Let's Encrypt certificates are valid for 90 days, so automation is not optional -- it is required.

What you get:

  • DV (Domain Validation) certificate
  • 90-day validity, auto-renewed
  • Single domain, multi-domain (SAN), or wildcard certificates
  • RSA and ECDSA key support

Limitations:

  • No OV or EV certificates
  • 90-day validity means you must automate renewal
  • Rate limits: 50 certificates per registered domain per week
  • No warranty, no customer support (community forums only)

For a complete look at free certificate options, see Free SSL Certificates Guide.

Cloudflare Universal SSL

If you use Cloudflare as your CDN or DNS provider, you get a free SSL certificate automatically. When you route your domain through Cloudflare by changing your nameservers, they provision a certificate within minutes. You do not install anything. You do not renew anything. Cloudflare handles it all.

How to set it up:

  1. Create a Cloudflare account and add your domain.
  2. Change your domain's nameservers to the ones Cloudflare provides.
  3. Wait for nameserver propagation (usually under an hour).
  4. Cloudflare automatically issues a Universal SSL certificate.

The Universal SSL certificate is a shared certificate -- your domain appears on a cert alongside other Cloudflare customers. For most sites, this does not matter. If you want a dedicated certificate, Cloudflare's Advanced Certificate Manager is $10/month.

Important: Cloudflare's "Flexible" SSL mode encrypts traffic between visitors and Cloudflare but leaves the connection from Cloudflare to your server unencrypted. Always use "Full (Strict)" mode with a valid certificate on your origin server.

Hosting Provider Auto-SSL

Many hosting providers now include SSL certificates as part of their standard plans. If you use one of these providers, you may already have a certificate without doing anything.

  • cPanel hosting -- Most cPanel hosts include AutoSSL, which provisions Let's Encrypt or Sectigo certificates automatically for every domain on your account.
  • Vercel, Netlify, Render -- Certificates are provisioned automatically when you connect a custom domain. Zero configuration.
  • AWS (ACM) -- AWS Certificate Manager provides free certificates for use with AWS services like CloudFront and ELB.
  • Google Cloud, Azure -- Both offer managed certificate options for their load balancers and CDN products.

If your hosting provider handles SSL automatically, you do not need to do anything else. Just verify the certificate is active by checking for the padlock icon in your browser.

Got your certificate? Monitor it.

SSL certificates expire. Auto-renewal fails more often than you think. Monitor your certificates and get alerts before they lapse.

Try SSL Certificate Expiry

Paid SSL Certificates

Free certificates provide encryption. Paid certificates provide encryption plus identity verification. The question is whether that extra verification matters for your use case.

DV (Domain Validation) Certificates

DV certificates verify only that you control the domain. The CA checks via email, DNS, or HTTP challenge -- the same process Let's Encrypt uses. Paid DV certificates from commercial CAs typically cost $5-50/year.

When to pay for a DV certificate: Honestly, almost never. Let's Encrypt DV certificates use the same encryption and are trusted by the same browsers. The only reason to buy a DV certificate is if your infrastructure does not support ACME automation and you need a certificate with a longer validity period (up to 1 year).

OV (Organization Validation) Certificates

OV certificates verify that your organization legally exists. The CA checks business registration documents, verifies your physical address, and may call your listed phone number. This process takes 1-3 business days.

The certificate itself includes your organization name, city, state, and country in the Subject field. You can see this by clicking the padlock in your browser and viewing certificate details.

Cost: $50-200/year.

When to use OV: If you are a business that wants the certificate to explicitly identify your organization. Some regulated industries require OV or higher. Government agencies, financial institutions, and healthcare organizations often mandate it. For more on certificate types, see Types of SSL Certificates.

EV (Extended Validation) Certificates

EV certificates require the most thorough verification. The CA verifies your organization's legal existence, physical address, operational status, and the authority of the person requesting the certificate. The process typically takes 1-5 business days.

EV certificates used to display a green address bar with the company name in the browser. Most browsers removed this visual distinction in 2019-2020, which significantly reduced the practical value of EV certificates. The certificate details still show the organization information, but users have to click through to see it.

Cost: $100-500/year.

When to use EV: If you are a large organization that needs the highest level of identity assurance, or if compliance requirements mandate it. For most websites, EV certificates are not worth the cost or hassle.

The Process: CSR, Validation, Installation

If you are getting a paid certificate (or a free one from a provider that does not automate the process), here is what the workflow looks like.

Step 1: Generate a CSR (Certificate Signing Request)

A CSR is a block of encoded text that contains your public key and information about your domain and organization. You generate it on your server.

openssl req -new -newkey rsa:2048 -nodes \
  -keyout example.com.key \
  -out example.com.csr

OpenSSL will ask you to fill in details like country, state, organization name, and the common name (your domain). The common name is the most important field -- it must match your domain exactly.

The command produces two files:

  • example.com.key -- your private key. Keep this secret. Never share it.
  • example.com.csr -- the CSR you will submit to the CA.

Step 2: Submit the CSR and Validate

Submit the CSR to your chosen certificate authority through their website or API. Then complete the validation process:

DV validation methods:

  • Email: The CA sends an email to [email protected] (or similar) with a verification link.
  • HTTP: Place a specific file at a specific URL on your web server.
  • DNS: Create a specific TXT or CNAME record in your domain's DNS.

OV/EV validation includes the DV step plus organization verification through documents and phone calls.

Step 3: Download and Install

Once validated, the CA issues your certificate. You will typically receive:

  • Your certificate file (.crt or .pem)
  • An intermediate certificate bundle (the CA's chain)

You need both. The intermediate certificate connects your certificate to the CA's root certificate, which browsers trust. Without it, some browsers and devices will show errors. For a full explanation, see SSL Certificate Chain Explained.

Installation varies by server. For detailed installation steps, see How to Install an SSL Certificate.

Choosing the Right Option

For most websites, the decision tree is simple:

Hosting provider handles SSL automatically? You are done. Use what they provide.

Using Cloudflare? Universal SSL is already active. Make sure you have "Full (Strict)" mode enabled and a certificate on your origin server.

Running your own server? Use Let's Encrypt with Certbot. It is free, automated, and trusted everywhere.

Need OV/EV for compliance? Buy from a commercial CA like DigiCert, Sectigo, or GlobalSign. Budget for $50-300/year depending on validation level. See our SSL Certificate Providers Compared for a breakdown.

Need a certificate for an internal service or testing? You can generate a self-signed certificate for free, but browsers will not trust it. Self-signed certificates are only appropriate for development environments and internal tools where you can manually trust the certificate.

The one thing you should never do is run a website without any SSL certificate. Browsers have made the "Not Secure" warning increasingly prominent, and the SEO penalty for HTTP-only sites is real. Even if your site is a simple brochure with no forms or user input, HTTPS is the baseline expectation. For the migration process, see this guide on moving from HTTP to HTTPS.

After You Get the Certificate

Getting the certificate is step one. Keeping it working is the ongoing job.

Monitor expiry dates. Let's Encrypt certificates expire every 90 days. Paid certificates expire annually. Auto-renewal usually works, but when it fails -- due to a DNS change, a firewall rule, or a server migration -- your site goes down with a certificate error. For a production-focused look at running Let's Encrypt, see the Let's Encrypt Production Guide.

Test your configuration. After installation, verify that the certificate chain is complete, the protocol versions are correct, and the cipher suites are secure. Tools like Qualys SSL Labs (ssllabs.com/ssltest) give you a detailed report.

Set up monitoring. Automated certificate monitoring checks your certificates daily and alerts you before they expire. This catches auto-renewal failures, misconfigured chains, and certificates that were quietly replaced with weaker configurations.

Never miss an SSL certificate expiry

Monitor your certificates and get alerts before they expire. Catches auto-renewal failures and configuration issues.

Try SSL Certificate Expiry

References

  • Let's Encrypt, "Let's Encrypt Stats," https://letsencrypt.org/stats/
  • CA/Browser Forum, "Baseline Requirements," https://cabforum.org/baseline-requirements/