Most websites need a free DV certificate from Let’s Encrypt. That’s the answer for 90%+ of people reading this. But if you want to understand why — and know the exceptions — this guide walks through every decision point.
Decision 1: Validation level (DV vs OV vs EV)
| Question | If yes → |
|---|---|
| Does a compliance rule or procurement policy specifically require OV or EV? | Get OV or EV from a commercial CA |
| Does your auditor require the organization name embedded in the certificate? | Get OV |
| Neither? | DV is sufficient — free from Let’s Encrypt |
The short version: DV provides the same encryption as OV and EV. Browsers show the same padlock for all three. The green bar is gone since 2019. Unless you have a specific compliance checkbox, DV is the right choice.
Full DV vs OV vs EV comparison →
Decision 2: Domain coverage
| Your setup | Certificate type | How to get it |
|---|---|---|
One domain (example.com) | Single-domain | GetHTTPS — enter example.com |
Domain + www (example.com + www.example.com) | Single-domain with SAN | GetHTTPS — enter both names |
Multiple subdomains (www, blog, api, staging, etc.) | Wildcard (*.example.com) | GetHTTPS wildcard guide |
Multiple different domains (example.com + example.org) | Multi-domain (SAN) | GetHTTPS — enter all domains |
| Subdomains + bare domain | Wildcard + bare domain | GetHTTPS — enter *.example.com + example.com |
| Different domains + their subdomains | Multiple wildcards or SAN + wildcard | GetHTTPS — combine as needed |
Rule of thumb:
- 1-2 domains → single-domain certificate
- Many subdomains of one domain → wildcard
- Multiple different base domains → multi-domain SAN
- Mix of above → wildcard + SAN in one certificate
Decision 3: Free vs paid
| Question | If yes → |
|---|---|
| Do you need OV or EV validation? | Paid (commercial CA) |
| Do you need a warranty for compliance? | Paid |
| Do you need dedicated CA support? | Paid |
| None of the above? | Free (Let’s Encrypt) |
Free Let’s Encrypt certificates provide identical encryption to paid certificates. The encryption algorithms, cipher suites, and TLS protocols are the same. You’re paying for validation level and services — not security.
Decision 4: Which tool to get it
| Your situation | Tool | Why |
|---|---|---|
| No server access / quick cert | GetHTTPS | Browser-based, zero install |
| Server with root access, want auto-renewal | Certbot | Automated renewal |
| Host includes free SSL | Your hosting panel | Already there |
| Already on Cloudflare | Cloudflare + origin cert | Built-in CDN SSL |
| AWS with ALB/CloudFront | ACM | Free, auto-renewing |
Compare all free SSL providers →
Decision 5: Key algorithm
| Scenario | Algorithm |
|---|---|
| Modern setup (default) | ECDSA P-256 — smaller, faster |
| Need to support very old devices | RSA 2048 — maximum compatibility |
| High-security requirement | ECDSA P-384 or RSA 4096 |
GetHTTPS defaults to ECDSA P-256, which is supported by all modern browsers and recommended by Let’s Encrypt.
Common scenarios
”I’m building a personal blog”
Get: Free DV single-domain from GetHTTPS for yourblog.com + www.yourblog.com. Install on Nginx or via cPanel. Total cost: $0.
”I run a SaaS product with an API”
Get: Free DV wildcard from GetHTTPS for *.yourapp.com. Covers app.yourapp.com, api.yourapp.com, docs.yourapp.com automatically. Set up Certbot for auto-renewal.
”I’m launching an e-commerce site”
Get: Free DV from Let’s Encrypt. PCI DSS does not require OV/EV. Stripe/PayPal handle payment card security. Use a wildcard if you have subdomains.
”My company’s procurement requires OV”
Get: OV certificate from DigiCert, Sectigo, or GlobalSign ($50-200/year). This is a procurement checkbox — the encryption is identical to a free DV cert.
”I manage 50 domains for clients”
Get: Free DV certificates from Let’s Encrypt for each domain. Use acme.sh with DNS API automation, or GetHTTPS for quick one-offs.
Frequently asked questions
Do I need a separate certificate for each subdomain?
Not if you use a wildcard certificate (*.example.com). One wildcard covers all subdomains at one level. Without a wildcard, yes — each unique hostname needs to be listed in the certificate’s SAN field.
Can I start with free and upgrade to paid later?
Yes. Get a free certificate now, and if you later need OV/EV for compliance, buy a paid certificate and replace the files. No migration, no downtime. Details →
Does Google care which certificate I use?
No. Google’s HTTPS ranking signal doesn’t differentiate between DV, OV, EV, free, or paid certificates. Any valid HTTPS certificate provides the same SEO benefit. Details →
What if I’m not sure and just want something that works?
Go to GetHTTPS, enter your domain, follow the steps. You’ll have a free, trusted, properly-configured SSL certificate in 5 minutes. You can always change your certificate type later.