Yes, the one recognized by most web browsers, not a self-signed one.
Within the last decade, there has been a consistent push for the webmasters to move towards SSL for a more secure Web. Initiatives like SSL by Default and Google’s SSL Everywhere have reiterated the importance of privacy and the role of website owners in creating “a safer, more secure Internet”. The ubiquitous presence of SSL, or in layman’s terms, the number websites beginning with https:// has grown rapidly.
Long gone are the days when you needed to lease a costly Dedicated IP from your ISP, per server, to install SSL. Technologies like Server Name Indication (SNI) have made it possible to cheaply install SSL certificates for multiple domains, all hosted on the same shared server — and have the certificates still be recognized by the modern web browsers as “valid”. However, even with SNI, there remains a cost (anywhere from $9 to $199 per year, on average) associated with getting a trusted, SSL certificate. After all a Certificate Authority (CA) — whether manually or in an automated fashion, still has to verify the domain ownership and/or identity of the domain owner, depending on the extent of the validation requested. Running such a large scale technological infrastructure incurs costs, passed down to the website owners purchasing the certificates from the CA and their resellers.
Of course, you could always generate a self-signed certificate yourself for free but the major downside is, no reputable web browser would recognize the certificate as valid since no CA has signed it. The end-to-end encryption is still very much there, but no recognition, and not to mention the ugly red stricken-through HTTPS text in most web browsers, along with the warning webpage:
Great news! Let’s Encrypt or rather its underlying ACME Protocol has made it possible to issue yourself a legitimate, fully-trusted, SSL certificate for free (as in free lunch) which, according to their website, is recognized by 99.9% of the web browsers. The number is no worse than the paid SSL certificates issued by the CAs.
The pros? A legitimate, trusted SSL certificate recognized by major web browsers, for free. Let’s Encrypt also provides detailed instructions on how to install the SSL yourself, depending on your platform.
One downside: Shorter validity (only 90 days) compared to that of a traditional, paid certificate. Typically, SSL certificates are valid for a minimum of 1 year. However, this is deliberate, by design, and here’s a great explanation why. It’s to do with increasing the security by:
- Shortening lifetimes of the keys to prevent a security compromise, in the event of an accidental private key exposure.
- Encouraging the website owners to automate the SSL certificate generation process altogether to maintain the lower costs of the process — if this is done correctly, it would virtually be irrelevant how short the lifetimes of the keys (and certificates) become, since the process would now merely comprise a bunch of scripts running every few months.
The technology, now open to the public, is relatively new (only 22 months old according to Wikipedia) and rapidly gaining acceptance. In fact, some web registrars now have built-in support for Let’s Encrypt, letting their customers conveniently install the free certificates.
To further simplify the SSL installation process, you may benefit from using the following SSL generator as I did: https://www.sslforfree.com/
The website uses ACME too but makes the domain validation process a step easier through their web UI, to verify domain ownership and generate the certificate. SSLforfree.com will also remind you 7 days before your certificate expires, to regenerate it or to revoke it at anytime—and yes, it’s free too.
Furthermore, if you happen to use a cPanel-based shared web hosting, you can visit the SSL/TLS section within (depending on your cPanel version) and simply copy-and-paste the generated certificate(s) and key(s).
Bam! There you gotten have yourself a fully free, trusted SSL certificate which is not self-signed. Just remember to repeat the process every 90 days. Or better yet, automate it!