Friday, February 25, 2011

Truly free SSL certificates are here!

I and many other people have been waiting for a decade for this, but truly free SSL certificates with a root certificate installed in every browser is finally available. It used to be that to get a signed cert, you had to shell out tons of money. That was and is a ripoff. SSL certs cost ISPs nothing to produce and are pure profit. Even the EV validated certs (green bar) are a huge ripoff - sure the setup fee might make some sense where they do real checking, but, after that, the renewal process is entirely automated. Some places want $400 per certificate per year. This is one of the hosting/reseller industry's best-kept secrets.

I've been keeping a very close eye on the free SSL certificate market for a while now. Every couple of months for the past decade, I've run a search query like "free SSL cert" and looked carefully at the results.

The first organization that popped up on my radar was It was exciting when I first saw this because it merely confirmed what I knew all along was that SSL certificates cost nothing to produce. The only problem facing CACert was web browser and OS integration. After a few years of waiting for them to do something - anything - it became apparent that they were collapsing in on themselves. They seem to have a strong following in Europe, but that's it. They don't seem to be interested any more in getting included in the root certificate store of every major browser and OS. Which is sad, because they seemed like they could potentially have pulled off something fantastic - a non-profit organization with the potential to even produce EV validated certs for free. They could have crushed the myth that SSL certs cost hundreds of dollars to produce.

SSL certificates are chains of certificates that trace to a root certificate. Every browser and OS has a list of root certificates that it can validate against. This is called the root certificate store.

The biggest hurdle is being included in the root certificate store of every major browser and OS. This allows the most popular SSL-enabled applications to trace the certificate back to a valid root. A SSL certificate also determines what the certificate was authorized for. Not all SSL certs are created equally. Some can be used for e-mail, some for web servers, some for code signing, etc.

Anyway, most people are usually just interested in setting up a web host with SSL support. A couple years ago, a new startup called StartSSL appeared on the scene claiming free SSL certificates. What they were doing was interesting but they lacked the usual browser and OS support. Then something happened. They started getting into the root certificate stores of browsers and OSes. About two years ago, they were in every major browser and OS except Opera. The list was impressive, but, without Opera support, it didn't matter for web developers.

Sometime in the past couple of months, it looks like Opera finally got up off their butts and approved them. Check out the list:

As an interesting consequence of this, every domain/reseller provider out there has had to lower their SSL certificate prices to more reasonable levels to compete with this new threat. Which, again, only confirms that those high-priced SSL cert products are nothing but pure profit.

So there you have it. Free SSL certificates finally exist. Over the next couple of years, we will likely see other vendors doing the same thing to remain competitive. Some products will likely continue to cost money but people are going to learn to shop for the best deal. This will drive prices down everywhere to reasonable levels.


  1. This comment has been removed by a blog administrator.

  2. It looks to me like all these places that offer free ssl certs are only offering certs that are valid for a certain period like 30, 90 days or a year, then you need to pay to renew them.

    1. I use StartSSL free certs extensively and, while being a bit obtuse to set up, they truly are free SSL certificates that last a full year. There is no pay-to-renew model either. My only recommendation is to go try them out and then come back and share your experience.

      The only downside I've ever found with StartSSL is that some older browsers won't accept certificates signed by them. But those browsers are running under ancient, vulnerable operating systems that need to be upgraded.