How to Get a Free SSL Certificate: Let's Encrypt, Cloudflare, ZeroSSL, and More

SSL certificates used to cost money — $100 to $300 a year from Comodo, DigiCert, or GoDaddy. That market collapsed in 2016 when Let’s Encrypt launched and made domain-validated certificates free for everyone. Today, nearly every public TLS certificate issued for a website is free. The question is no longer whether you can get a free SSL certificate, but which free option fits your infrastructure.

This guide covers the five most widely used sources of free SSL certificates, how to obtain and install each one, and the trade-offs that vendor documentation tends to skip.

What “free SSL certificate” actually means

All free SSL certificates covered here are domain-validated (DV) certificates. They prove that whoever requested the cert controls the domain — nothing more. They encrypt traffic identically to expensive OV or EV certificates. The padlock looks the same. The cipher suites are the same.

What you are not getting for free:

• Organization Validation (OV): the CA verifies your company exists in a business registry. Rarely worth the cost for most teams.
• Extended Validation (EV): the green company name display. Browsers deprecated the special EV UI treatment years ago; there is no user-visible benefit.
• Long validity periods: free certs typically max out at 90 days. The CA/Browser Forum’s SC-081v3 ballot is moving the entire industry toward 47-day certificates by 2029, so short validity is increasingly the norm regardless of price.

If you are serving public web traffic, a free DV certificate is the correct choice. The only exceptions are regulated industries that require OV or EV by policy — and even then, you are buying the validation paperwork, not meaningfully stronger encryption.

Let’s Encrypt

Best for: Linux servers where you control the deployment environment.

Let’s Encrypt is a nonprofit Certificate Authority run by the Internet Security Research Group (ISRG). It has issued billions of certificates and underpins free SSL for a significant share of the web. Certificates are 90-day DV certs, issued via the ACME protocol, with fully automated renewal.

Getting a certificate with Certbot:

Certbot is the official Let’s Encrypt client, maintained by the EFF. On a server running Nginx:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot handles domain validation (it briefly serves a challenge file on port 80), certificate issuance, and Nginx configuration — then installs a systemd timer that runs renewal automatically at around 60 days.

For non-web-server use cases — API workers, Docker containers, custom deployments — acme.sh is a pure-shell ACME client with broader integration support:

curl https://get.acme.sh | sh
acme.sh --issue -d yourdomain.com --webroot /var/www/html

Wildcard certificates via DNS-01:

Let’s Encrypt issues wildcard certificates (*.yourdomain.com), but only via the DNS-01 challenge — you prove domain control by adding a TXT record to your DNS zone rather than serving a file from a web server:

certbot certonly --manual --preferred-challenges dns \
  -d "*.yourdomain.com" -d yourdomain.com

Most major DNS providers have Certbot plugins that automate the TXT record creation and deletion, so wildcard renewal can be fully unattended.

Pros: fully open and nonprofit-backed; wildcard support; the widest ACME client ecosystem; no account required for basic use.

Cons: requires server access and CLI familiarity; rate limits of 50 certificates per registered domain per week (rarely a problem except for large automation pipelines); 90-day validity means a broken renewal job is an outage waiting to happen.

Cloudflare Free Plan

Best for: Any domain using Cloudflare for DNS, even without touching the origin server.

Cloudflare’s free plan includes Universal SSL, which automatically provisions an edge certificate for every domain on the platform. From a user’s browser to Cloudflare’s edge, traffic is encrypted — no server-side configuration required.

Getting started:

1. Add your domain to Cloudflare and point your nameservers to Cloudflare’s.
2. Universal SSL provisions automatically, usually within minutes.
3. In the Cloudflare dashboard, go to SSL/TLS → Overview and set the mode to Full (strict).

That’s it. No terminal commands, no renewal cron.

Edge certificates versus origin certificates:

Cloudflare’s Universal SSL secures the browser-to-Cloudflare leg. If your origin communicates with Cloudflare over plain HTTP (“Flexible” mode), traffic between Cloudflare and your server is unencrypted. For Full (strict) mode — which you should use — the origin also needs a valid certificate. Options: a Let’s Encrypt certificate on the origin server, or Cloudflare’s free Origin Certificates (15-year validity, trusted only between Cloudflare and your origin, not publicly trusted on their own).

Pros: zero configuration on most setups; automatic renewal; DDoS protection and CDN included.

Cons: only applies to Proxied records (the orange-cloud icon in Cloudflare’s DNS panel). DNS-only records get no edge certificate. Cloudflare sits in the traffic path, which has compliance and data-sovereignty implications for some environments.

AWS Certificate Manager

Best for: Services running on AWS — ALB, CloudFront, API Gateway, and similar managed services.

AWS Certificate Manager (ACM) issues free, automatically renewing certificates for use with supported AWS services. You pay for the AWS service the certificate is attached to; the certificate itself has no charge.

Requesting an ACM certificate:

1. In the AWS Console, open Certificate Manager → Request a certificate.
2. Choose Request a public certificate and enter your domain names. Wildcards are supported.
3. Select DNS validation (recommended). ACM creates a CNAME record in Route 53 automatically if you use it; otherwise add the CNAME manually to your DNS provider.
4. Once the CNAME propagates, the certificate status changes to Issued — typically within a few minutes.
5. Attach the certificate to your ALB HTTPS listener or CloudFront distribution from within the service’s settings.

ACM handles renewal silently in the background. You never touch a .pem file.

The critical limitation: ACM certificates can only be used with ACM-integrated AWS services. You cannot export an ACM certificate to install on an EC2 instance running Nginx directly, or on any server outside AWS. For those cases, use Let’s Encrypt or ZeroSSL on the instance.

A common trap: teams import a third-party certificate into ACM for initial convenience, then expect it to auto-renew. Imported certificates in ACM do not auto-renew — that responsibility stays with you.

Pros: fully managed and automatic; wildcard support; tight integration with IAM, CloudWatch, and deployment pipelines.

Cons: AWS-only and non-exportable; certificates are regional (a cert in us-east-1 cannot be used on an ALB in eu-west-1, except for CloudFront which requires us-east-1); imported certificates are not managed by ACM.

ZeroSSL

Best for: Teams that prefer a web dashboard over a CLI, or need a Let’s Encrypt alternative with an API.

ZeroSSL is a commercial CA with a free tier covering up to three 90-day DV certificates simultaneously. It supports the ACME protocol, meaning any ACME client — Certbot, acme.sh, Caddy — can use ZeroSSL as a drop-in CA replacement.

Via the ZeroSSL dashboard:

1. Create a free account at zerossl.com.
2. Click New Certificate, enter your domain, and click through.
3. Choose a validation method: HTTP file upload, DNS CNAME, or email.
4. Download the certificate bundle (.crt + .key + CA bundle) and install it on your server.

Via ACME (using acme.sh):

acme.sh --register-account -m your@email.com --server zerossl
acme.sh --issue -d yourdomain.com --webroot /var/www/html --server zerossl

Pros: web dashboard suited to teams without CLI access; ACME-compatible — swap from Let’s Encrypt without retooling; REST API for programmatic issuance.

Cons: free tier capped at three active certificates; same 90-day validity as Let’s Encrypt; less widely battle-tested at scale than Let’s Encrypt.

Google-managed SSL certificates

Best for: Workloads on Google Cloud using Cloud Load Balancing.

Google Cloud provides managed SSL certificates for HTTPS load balancers, functionally equivalent to AWS ACM. Certificates are provisioned and renewed automatically — attach one to a load balancer target proxy and GCP manages the rest.

gcloud compute ssl-certificates create my-cert \
  --domains=yourdomain.com,www.yourdomain.com \
  --global

Attach the certificate to your HTTPS target proxy via the Cloud Console or gcloud compute target-https-proxies update. The certificate is issued once your domain’s A record points to the load balancer IP and DNS has propagated.

Pros: no management overhead; automatic renewal; no charge beyond the load balancer.

Cons: only works with GCP load balancers. Not usable on GCE instances running their own web servers, GKE ingresses that bypass the load balancer, or anything outside GCP.

Comparison at a glance

Option	Wildcard support	Exportable	Auto-renews	Best for
Let’s Encrypt	Yes (DNS-01)	Yes	With ACME client	Self-managed servers
Cloudflare Free	No (edge only)	No	Yes	Cloudflare-proxied domains
AWS ACM	Yes	No	Yes	AWS-integrated services
ZeroSSL	Yes	Yes	With ACME client	GUI users, ACM alternative
Google-managed SSL	No	No	Yes	GCP load balancers

The part nobody mentions: renewal and monitoring

Getting a free SSL certificate takes five minutes. Knowing that the certificate on every endpoint is valid, trusted, and not expiring this weekend is the ongoing work.

Three things break silently:

The renewal job runs but the web server doesn’t reload. The new certificate is on disk, but the process is still serving the old one. A monitoring tool that only checks the file misses this entirely. You need to check the live TLS handshake on the endpoint — which is what our SSL expiry checker does.

The renewal job fails on an inconvenient day. A full disk, a rate-limit hit, an ACME client bug, an expired DNS API token — Let’s Encrypt renewal failures are silent unless you add alerting on the renewal hook’s exit code. By the time the certificate hits the browser’s warning threshold, you are already in an incident.

A certificate on a subdomain nobody remembers. DNS grows. Services multiply. The certificate that was manually deployed to a staging endpoint 18 months ago does not have a renewal job. Certificate Transparency logs record every certificate ever issued for your domains — which means every forgotten subdomain is discoverable before it expires, not after.

For chain validation — confirming that your intermediate and root certificates are served correctly alongside the leaf cert — use the chain checker after any new installation. A certificate that passes expiry checks but has an incomplete chain still produces browser warnings.

For production environments with more than a handful of domains, continuous monitoring across all your endpoints is the only approach that keeps up with domain sprawl. The manual audit you do today is out of date the moment the next service goes live.

What to do this week

1. Match the option to your infrastructure. Self-hosted Linux server → Let’s Encrypt with Certbot. Behind Cloudflare → Universal SSL with Full (strict) mode. AWS workloads → ACM. GCP load balancers → Google-managed SSL. Need portability and a GUI → ZeroSSL.
2. Set up renewal automation before moving on. Certbot installs a systemd timer automatically. For other setups, schedule renewal at 30 days before expiry and add a failure hook that fires an alert to Slack or email.
3. Verify the live chain after installation. Use the chain checker to confirm the certificate is being served correctly, not just that the file exists on disk.
4. Don’t manage this manually past 10 domains. Once your footprint grows, you will miss renewals. You want a monitoring layer that watches the live handshake across every endpoint — not a spreadsheet, and not a cron job you haven’t looked at in six months.

CertShield monitors every certificate across your infrastructure — via live TLS inspection and Certificate Transparency log discovery. Start in minutes →