A free SSL certificate encrypts the connection between your visitors and your website — protecting passwords, payments, and personal data. You can get one in about 5 minutes without spending a dollar.
TL;DR — Quick version:
- Open gethttps.com/app/setup — no installation, no account
- Enter your domain name
- Verify domain ownership (place a file on your server or add a DNS record)
- Download your certificate files
- Install on your server (Nginx, Apache, cPanel, WordPress, IIS)
Read on for the full guide with every detail.
Why you need an SSL certificate
Before we start — if you’re wondering whether your site actually needs SSL:
- Browsers mark HTTP sites as “Not Secure” — Chrome, Firefox, and Edge show a warning in the address bar. Visitors leave.
- Google uses HTTPS as a ranking signal — since 2014. HTTP sites rank lower.
- Forms and logins transmit data in plaintext without HTTPS — anyone on the network can read passwords, credit card numbers, personal data.
- HTTP pages can be modified in transit — ISPs and attackers can inject ads, tracking, or malware into your pages.
- HTTPS is free — there’s no reason not to use it.
If your site is already on HTTPS, you can skip to renewal.
4 ways to get a free SSL certificate
| Method | Best for | Installation | Auto-renewal | Time |
|---|---|---|---|---|
| GetHTTPS (browser) | Anyone — no install, no server access needed | Manual | No | 5 min |
| Your hosting provider | Shared hosting with cPanel/Plesk | Automatic | Usually yes | 2 min |
| Certbot (CLI) | Server administrators with root access | Automatic | Yes | 10 min |
| Cloudflare (CDN) | Sites already using Cloudflare | Automatic | Yes | 5 min |
This guide focuses on Method 1 (GetHTTPS) because it works everywhere — shared hosting, VPS, dedicated server, or any platform where you can upload files. For other methods, see the links above.
Method 1: GetHTTPS (recommended — works anywhere)
Prerequisites
- A registered domain name pointing to a server you control
- Access to one of the following (for domain verification):
- Your web server’s file system — to place a verification file (HTTP-01 challenge)
- Your domain’s DNS settings — to add a TXT record (DNS-01 challenge)
- A modern browser — Chrome, Firefox, Edge, or Safari
Which challenge type should I use? HTTP-01 is simpler for most people. DNS-01 is required for wildcard certificates (
*.example.com). See our HTTP-01 guide and DNS-01 guide for detailed explanations.
Step 1: Open GetHTTPS
Go to gethttps.com/app/setup.
GetHTTPS automatically generates two key pairs in your browser:
- Account key — A P-256 ECDSA key pair that identifies your Let’s Encrypt account. Signs all ACME requests.
- Certificate key — The key pair for your SSL certificate. ECDSA P-256 by default (recommended) or RSA 2048.
Both keys are created using the Web Crypto API built into your browser. They exist only in browser memory and are never sent to any server — not even ours. This is the key privacy advantage over tools like SSL For Free (which generates keys on their server) or ZeroSSL (which may generate keys server-side depending on the method).
Step 2: Add your domain names
Enter the domain(s) you want to secure:
| What you want | What to enter | Notes |
|---|---|---|
| Single domain | example.com | Most basic setup |
| Domain + www | example.com + www.example.com | Recommended for most sites |
| Wildcard | *.example.com | Covers all subdomains; requires DNS-01 |
| Multiple domains | example.com + blog.example.com + shop.example.com | SAN certificate |
Tip: If you enter example.com, GetHTTPS hints you to also add www.example.com (and vice versa). Most sites should secure both.
Step 3: Complete domain verification
Let’s Encrypt needs to verify you control the domain. Choose one of two methods:
Option A: HTTP-01 challenge (simpler, for most people)
Let’s Encrypt provides a token. You place a file on your web server at a specific URL.
- GetHTTPS shows you a filename and file content (a long token string)
- Create the file on your server:
http://yourdomain.com/.well-known/acme-challenge/TOKEN_FILENAME - The file must be accessible over HTTP (port 80) — even if your site already uses HTTPS
- Click Verify in GetHTTPS
How to create the file — by platform:
SSH access (Nginx/Apache on Linux):
# Create the directory (if it doesn't exist)
mkdir -p /var/www/html/.well-known/acme-challenge/
# Create the challenge file — use the EXACT values from GetHTTPS
echo "TOKEN_CONTENT_SHOWN_IN_GETHTTPS" > /var/www/html/.well-known/acme-challenge/TOKEN_FILENAME
# Verify it's accessible
curl http://yourdomain.com/.well-known/acme-challenge/TOKEN_FILENAMEcPanel File Manager:
- Go to File Manager → navigate to
public_html - Create folder
.well-known→ inside it, createacme-challenge - Create a new file with the token filename, paste the token content
- Make sure the file is world-readable (permissions 644)
FTP:
- Connect via FTP to your site root
- Navigate to (or create)
.well-known/acme-challenge/ - Upload a text file with the token filename containing the token content
Common issue: Some web servers don’t serve files from
.well-knownby default. If you get a 404 error, check your server configuration. Nginx may needlocation ~ /\.well-known { allow all; }in the config.
Option B: DNS-01 challenge (required for wildcards)
You add a TXT record to your domain’s DNS settings.
- GetHTTPS shows you a record name (e.g.,
_acme-challenge.example.com) and a record value (a long hash) - Go to your DNS provider and add the TXT record
- Wait for DNS propagation (usually 1-5 minutes)
- Click Verify in GetHTTPS
DNS provider quick reference:
| Provider | Where to add TXT record | TTL setting |
|---|---|---|
| Cloudflare | DNS → Records → Add record → Type: TXT | Auto |
| AWS Route 53 | Hosted zones → your domain → Create record → TXT | 300 |
| GoDaddy | DNS Management → Add → Type: TXT | 1 Hour |
| Namecheap | Domain List → Manage → Advanced DNS → Add new record → TXT | Automatic |
| Google Domains | DNS → Custom records → Manage → Create new record → TXT | Auto |
| DigitalOcean | Networking → Domains → your domain → Add record → TXT | 30 |
Record name: _acme-challenge (some providers auto-append your domain, some don’t — check the preview)
Record value: The hash string shown in GetHTTPS (copy-paste exactly)
Pre-check verification (GetHTTPS exclusive feature)
Before submitting to Let’s Encrypt, GetHTTPS pre-checks your challenge configuration from the public internet via Google’s DNS-over-HTTPS API. This catches mistakes like:
- Wrong file content or permissions
- File not accessible on port 80
- DNS record not propagated yet
- Firewall blocking the request
- Cloudflare proxy intercepting the challenge
If the pre-check fails, GetHTTPS shows you exactly what’s wrong — so you can fix it before burning a rate limit attempt.
This is a feature other browser-based tools don’t have. SSL For Free and ZeroSSL submit directly to the CA, and you only find out about errors after the fact.
Step 4: Download your certificate files
Once all challenges pass, Let’s Encrypt issues your certificate. GetHTTPS gives you four files:
| File | What it is | When you need it |
|---|---|---|
privkey.pem | Your private key — keep this secret! | Every server |
cert.pem | Your SSL certificate (end-entity only) | Apache, some configs |
chain.pem | Let’s Encrypt’s intermediate CA certificate | Apache, some configs |
fullchain.pem | cert.pem + chain.pem combined | Nginx, most servers |
Download all four files. Different servers need different combinations — having all four means you’re covered. See certificate formats explained for details.
Security: Store
privkey.pemsecurely. Anyone who has this file can impersonate your website. Don’t email it, don’t commit it to Git, don’t put it in a public folder.
Step 5: Install on your server
Choose your platform:
| Platform | Guide | Key files needed |
|---|---|---|
| Nginx | Full guide → | fullchain.pem + privkey.pem |
| Apache | Full guide → | cert.pem + chain.pem + privkey.pem |
| cPanel | Full guide → | Paste contents of all three files |
| WordPress | Full guide → | Depends on hosting (cPanel/Nginx/Apache) |
| Windows IIS | Full guide → | Convert to PFX first |
| Docker | Full guide → | Mount fullchain.pem + privkey.pem |
| Plesk | Full guide → | Paste contents of all three files |
| AWS | Full guide → | Upload to EC2 or import to ACM |
| Node.js | Full guide → | fullchain.pem + privkey.pem in code |
Quick install — Nginx:
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/fullchain.pem;
ssl_certificate_key /etc/ssl/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
add_header Strict-Transport-Security "max-age=63072000" always;
root /var/www/html;
index index.html;
}sudo nginx -t && sudo systemctl reload nginxQuick install — Apache:
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/cert.pem
SSLCertificateKeyFile /etc/ssl/privkey.pem
SSLCertificateChainFile /etc/ssl/chain.pem
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder off
DocumentRoot /var/www/html
</VirtualHost>sudo apachectl configtest && sudo systemctl reload apache2Step 6: Redirect HTTP to HTTPS
Force all traffic to use the encrypted connection. Without this, visitors on http:// don’t benefit from your certificate.
Nginx:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}Apache (.htaccess):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Full redirect guide with www/non-www, proxy scenarios, and troubleshooting →
Step 7: Verify everything works
Browser check:
- Visit
https://yourdomain.com - Click the padlock icon → “Certificate” or “Connection is secure”
- Verify: Issued by “Let’s Encrypt”, expires in ~90 days, domain matches
Command line check:
# Show certificate details
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates
# Expected output:
# subject=CN=example.com
# issuer=C=US, O=Let's Encrypt, CN=R10
# notBefore=May 8 00:00:00 2026 GMT
# notAfter=Aug 6 00:00:00 2026 GMTOnline check: Enter your domain at SSL Labs Server Test for a comprehensive report covering certificate chain, protocol support, cipher suites, and known vulnerabilities.
Check for mixed content: Open your browser’s DevTools (F12) → Console tab. Look for “Mixed Content” warnings — these are HTTP resources on your HTTPS page. How to fix mixed content →
Renewal
Let’s Encrypt certificates expire after 90 days. Renew before day 60 to give yourself a safety margin.
With GetHTTPS (manual):
- Visit gethttps.com/app/setup again
- Re-enter your domain(s) and complete a new challenge
- Replace the certificate files on your server
- Reload your web server (
sudo systemctl reload nginx)
With Certbot (automatic): If you want hands-off renewal, install Certbot on your server. Many teams use GetHTTPS for the first certificate and Certbot for ongoing auto-renewal.
Coming soon: 47-day certificates. The CA/Browser Forum voted to reduce maximum certificate validity to 47 days by 2029. What this means for you →
Method 2: Your hosting provider (easiest if available)
Many hosts include free SSL:
| Host | How to enable | Auto-renewal |
|---|---|---|
| Hostinger | hPanel → Security → SSL | ✅ AutoSSL |
| SiteGround | Site Tools → Security → SSL Manager | ✅ |
| Bluehost | My Sites → Security → SSL | ✅ |
| Namecheap | cPanel → SSL/TLS Status | ✅ AutoSSL |
| GoDaddy | cPanel → SSL/TLS (if cPanel hosting) | ✅ |
| DigitalOcean | No built-in — use Certbot or GetHTTPS | ❌ |
| AWS | ACM for load balancers, Certbot for EC2 | ✅ (ACM) |
If your host provides free SSL, use it — it’s the simplest path. If not (or if you want more control), use GetHTTPS.
Method 3: Certbot (for server administrators)
Certbot is a CLI tool that automates Let’s Encrypt certificates on your server. Requires root access.
# Install (Ubuntu)
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Get certificate + auto-configure Nginx
sudo certbot --nginx -d example.com -d www.example.com
# Auto-renewal is set up automatically
sudo systemctl list-timers | grep certbotFull GetHTTPS vs Certbot comparison →
Method 4: Cloudflare (proxy-based SSL)
If you use Cloudflare as your CDN, Universal SSL is included for free. But understand: Cloudflare SSL means your traffic decrypts at Cloudflare’s edge, not at your server. Is that OK for you? →
Troubleshooting
Challenge file returns 404
- Check the path: The file must be at exactly
/.well-known/acme-challenge/TOKEN— not in a subdirectory - Check permissions: The file must be readable by the web server (chmod 644)
- Nginx: Add
location ~ /\.well-known { allow all; }if your config blocks dotfiles - Cloudflare: Temporarily switch DNS to “DNS only” (gray cloud) during HTTP-01 challenge
- cPanel: Make sure
.well-knownisn’t hidden — some file managers hide dot-directories
DNS record not found
- Wait longer — some DNS providers take 5-15 minutes to propagate
- Check the record name: It should be
_acme-challenge(without your domain appended, or with it — depends on provider). GetHTTPS’s pre-check confirms. - Check record type: Must be TXT, not CNAME or A
- Verify manually:
dig TXT _acme-challenge.yourdomain.com +short
“Too many requests” / rate limit error
Let’s Encrypt allows 50 certificates per registered domain per week. If you hit this limit:
- Wait a week and try again
- Use the staging environment for testing (GetHTTPS uses staging by default in development)
- Pre-check your challenges before submitting to avoid wasted attempts
Browser shows “Not Secure” after installation
- Certificate not installed: Check your server config points to the correct files
- Mixed content: Your page loads HTTP resources. Fix guide →
- Redirect not active: HTTP traffic isn’t being redirected to HTTPS. Redirect guide →
- Certificate expired: Check expiry →
“Certificate chain incomplete” error
You’re using cert.pem instead of fullchain.pem (Nginx) or missing SSLCertificateChainFile (Apache). The server needs the intermediate certificate to prove the chain of trust.
Why GetHTTPS over other free tools?
| Feature | GetHTTPS | ZeroSSL | SSL For Free | Certbot |
|---|---|---|---|---|
| Installation | None (browser) | None (web) | None (web) | CLI install needed |
| Private key | Browser-generated (Web Crypto) | ⚠️ May be server-generated | ⚠️ Server-generated | Server-generated |
| Free cert limit | Unlimited | 3 | 3 | Unlimited |
| Wildcard (free) | ✅ | ❌ (paid) | ❌ | ✅ |
| Auto-renewal | ❌ | ❌ | ❌ | ✅ |
| Pre-check | ✅ | ❌ | ❌ | ❌ |
| Open source | No | No | No | Yes (Apache 2.0) |
| Direct to Let’s Encrypt | ✅ | Via ZeroSSL | Via ZeroSSL | ✅ |
Full comparison of all free SSL providers →
Frequently asked questions
Can I really get an SSL certificate for free?
Yes. Let’s Encrypt is a nonprofit Certificate Authority backed by Mozilla, Google, EFF, and others. It issues free domain-validated (DV) certificates — the same type that many companies pay $50-200/year for. Over 300 million websites use Let’s Encrypt, with 63.9% global CA market share.
Is a free SSL certificate as secure as a paid one?
Yes. All SSL certificates — free or paid — use the same TLS encryption. A free DV certificate from Let’s Encrypt provides identical encryption strength to a $500 EV certificate from DigiCert. The only difference is the validation level (what the CA checks about your identity), not the encryption. Detailed comparison →
How long does a free SSL certificate last?
Let’s Encrypt certificates are valid for 90 days. This short validity is intentional — it limits damage if a key is compromised and encourages automation. Renew at day 60 for a safety margin. Note: by 2029, all certificates will be limited to 47 days.
Do I need SSH/root access to my server?
Not with GetHTTPS. You need the ability to either:
- Place a file on your web server (via FTP, cPanel File Manager, or any method) — for HTTP-01
- Add a DNS record (via your domain registrar or DNS provider) — for DNS-01
If you have no access at all, check if your hosting provider offers free SSL through their control panel.
Can I get a wildcard certificate for free?
Yes. GetHTTPS supports wildcard certificates (*.example.com) using the DNS-01 challenge. This is a feature many competitors (ZeroSSL, SSL For Free) restrict to paid plans. You’ll need access to your domain’s DNS settings.
Can I secure multiple domains with one certificate?
Yes. Enter all your domains in GetHTTPS — up to 100 names per certificate. This creates a SAN (multi-domain) certificate. Each domain needs its own challenge verification.
What’s the difference between HTTP-01 and DNS-01 challenges?
HTTP-01: You place a file on your server. Simpler, works for single domains. Requires port 80 access. DNS-01: You add a TXT record to your DNS. Required for wildcards. Works even if port 80 is blocked. Detailed HTTP-01 guide → | DNS-01 guide →
What happens if my certificate expires?
Browsers show a full-page security warning (“Your connection is not private”). Visitors can’t access your site safely, and search engines may de-index your pages. How to check expiry → | How to renew →
Can I switch from GetHTTPS to Certbot (or vice versa)?
Yes. The certificate files are standard PEM format. You can generate the first certificate with GetHTTPS and later install Certbot for automated renewal. Or use Certbot initially and switch to GetHTTPS when you need a quick re-issue without server access. The tools don’t conflict.