SSL stands for Secure Socket Layer. SSL Certificates are essential for enabling the HTTPS protocol which facilitates secure communication between a web server and a web browser. Now-a-days most modern browsers won’t even load a website without HTTPS.
SSL certificates are issued by a Certifying Authority. A Certifying Authority is a trusted body that verifies a persons or organizations identity and then issues digital certificates for them. In case of SSL certificate, the identity verification means verifying the ownership of the domain name for which the certificate is being issued. This verification can be done in various ways.
- Mail verification: A mail is sent to the admin or webmaster mail account of the domain name.
- DNS verification: Adding a CNAME record in the DNS table.
- File based verification: Uploading a file provided by the Certifying Authority in the .well-known folder of the website.
An SSL Certificate might become very costly. A typical SSL certificate can cost between $5 to $1000 based on types and use cases. However, there are some free options as well. Some hosting provider offers free SSL certificates through cPanel. There is another option called ZeroSSL. However, ZeroSSL has some limits. It will only provide certificates with 90-days validity. A free account can only get up to 3 free SSL certificates. If you need a certificate with more than 90-days validity or more than 3 SSL Cartificates then you have to pay.
Let’s Encrypt is an wonderful project operated by the Internet Security Research Group (ISRG) that provides free SSL Certficates. There is no limit to the number of certificates issued. However, each certificate has only 90-days validity. That is not a problem though bacause Let’s Encrypt can auto renew the certificate when it is about to expire.
In order to get a free SSL Certificate from Let’s Encrypt we need to install Certbot, an application provided by ISRG in Linux. Certbot has integration plugin for commonly used web servers such as Apache, Nginx etc. It will automatically detect domain names in these web servers and issue certificates for them. It can also auto-renew certificates when they are about to expire. It is also possible to get a certificate only without auto configuring the web server with the certonly subcommand. If someone needs to get a SSL certificate without running any web server there is a –standalone option.
Command for installing Certbot in Ubuntu/Debian:
sudo apt-get install certbotCommand for installing Certbot in Redhat/Rocky Linux/Fedora:
sudo dnf install certbotCommand for initiating Certbot for Apache web server:
sudo certbot --apacheCommand for initiating Certbot for Nginx web server:
sudo certbot --nginxCommand for getting certificate only without auto configuring the web server:
sudo certbot certonly --apacheCommand for running Certbot without running any web server:
sudo certbot certonly --standaloneThe certificate and key file can be found in the /etc/letsencrypt/ path.
