See Also #
The certificate generator tool is powered by Let's Encrypt by the Internet Security Research Group. Let's Encrypt is a free certificate authority that provides an interface for generating trusted SSL/TLS certificates. Let's Encrypt also offers software tools that allow completely automatic management of the certificates. However, not all platforms are supported for the automatic management, and also some of the end users may prefer generation and installation of their certificates "manually". This is what Free SSL/TLS Certificate Generator is all about.
This tool is a simple online interface to Let's Encrypt platform. It can ask Let's Encrypt to generate a trusted certificate for your domain, and it fully supports multi-domain certificates (via Subject Alternative Name (SAN) certificate field). This means that you can protect not only your primary domain, but also its subdomains, with a single certificate. Let's Encrypt platform does not support wildcard certificates, so we are not able to generate them for you.
In order to generate a certificate, a Certificate Signing Request (CSR) is needed. Our generator can either generate a CSR for you, or you can provide your own CSR on the input.
This tool runs fully over HTTPS, which means that all data including certificates and private keys (if provided) that you submit or that are transferred back to you are well protected and are safe to use in production environment. No sensitive data and files persist on our servers, they are erased once the certificate generation completes.
The first version of Let's Encrypt platform only generates certificates that are valid for 90 days. This means you have to generate new certificate about every 3 months. In the future Let's Encrypt may decide to allow generation of certificates with longer validity period, this topic is, among others, being discussed in their mailing list.
Note that the tool's generated certificates were tested on Apache 2.4 and Microsoft IIS 8.5 web servers.
Terms of Service
By generating and using Let's Encrypt certificate, you agree with their Certificate Policy and Subscriber Agreement. These documents are available on the Let's Encrypt Policy and Legal Repository page. By using our Free SSL/TLS Certificate Generator you authorize this tool to ask Let's Encrypt to generate a certificate on your behalf. You agree that we act only as an agent between you and Let's Encrypt for the sole purpose of helping you to obtain the certificate from Let's Encrypt. You are fully responsible for using the certificate properly and according to Let's Encrypt terms. You agree to ask for generation of certificates only for domains that you own or which you are authorized to manage and generate certificates for. You also agree that our tool makes a registration request to Let's Encrypt on your behalf using the email contact you have provided. The email address is not used by Online Domain Tools for anything else – we will never send you any emails (nor provide it to a third party other than Let's Encrypt) just because you have entered your email address to this form, but according to Let's Encrypt terms, they can contact you using this email. By using our tool, you confirm that this email contact is valid and you are authorized to use it.
The process of generating a certificate works in three phases. In the first phase, you create a request to generate a certificate. In the second phase, you have to verify all the domains that should be protected by the new certificate. In the third phase, the certificate is generated and you can download the certificate files. In all phases, please make sure that all the steps are followed exactly as described (make sure all inputs are in the specified format), or the process may fail.
To start with the first phase, simply enter your email address and all the domains that should be protected by the certificate to the Certificate Domains field. Note that your email address is used solely for the purpose of making a registration request to Let's Encrypt. Let's Encrypt makes a simple validation of the provided email contact, so make sure the email address is valid. A common scenario is that you have a domain, such as example.com, and you would also like to protect www.example.com. So you put them both to the Certificate Domains field. Your primary domain is the first one in the list, other domains are treated as Subject Alternative Name.
Then you have to decide, whether you want to use your own CSR (which is highly recommended), or let us generate a CSR (and a private key) for you. It is more secure if you do generate your own CSR and private key and give us only the CSR, in which case you are the only person that has access to the private key. For some users, it might be easier to let us generate a CSR (and a private key), in which case you have to check the Generate Certificate Signing Request and Private Key Automatically checkbox. In this case, you need to provide additional information – the Key Size, the 2-letter Country Code, and the name of your Organization. If you decide to use your own CSR, you have to copy your CSR in PEM format to the CSR textbox and you may also provide your corresponding private key to the Private Key for CSR textbox, which again must be in the PEM format and not protected by password. Providing your private key is only useful if you run Microsoft IIS web server and want us to generate your certficate in ready-to-go PFX format, which can be very easily imported to your IIS server without additional work with OpenSSL. If you run Apache or you know how to use OpenSSL, it is recommended not to provide your private key. Once this is done, click the "Proceed to Domain Verification Phase!" button to continue. Note that CSR generated by Microsoft IIS server will not work! Always use OpenSSL for CSR generation and make sure your key size is 2048 or 4096 bits. If you are having problems with your own CSR, try to let us generate it for you and you will receive the generated CSR on the output together with your certificate. You can then compare the generated CSR with the one you generated and possibly find where the problem was. As a security measure, if you submit your CSR and private key files on the input and the process of generating your certificate fails for any reason (including that you are unable to download the result), do not reuse the same CSR and private key files again. If you want to try it again, generate new CSR and private key files.
In the phase two, you have to verify that you control all the domains you want to generate your certificate for. Please read the instructions that appear on the screen carefully. For each domain, you will have to download a verification file and upload it to a specified location on your web server. You must not alter the files in any way. Make sure they stay in their original form – treat them as binary files. And you have to make sure that the verification files are publicly accessible. Once you are sure your files are uploaded and publicly accessible, hit the "Verify Now!" button to continue.
If the verification succeeded, you have reached the third phase, in which your certificates are being generated by Let's Encrypt service. All you need to do is wait for the result. If everything went well, you can now download your certificate. The certificate is delivered in a ZIP archive together with a couple of other important files you may need. The archive contains the certificate in PEM format (good for Apache web server) and PFX format (good for Microsoft IIS web server, protected by password 123456; only available if private key was provided or we generated it), private key in PEM format (to be used with PEM certificate for Apache; only available if it was provided or we generated it), CA bundle file in PEM format (for Apache again), and CSR in PEM format (not actually required for certificate installation). If the private key was not provided or generated by us, there is a read-me file with information on how to create PFX version of certificate using the PEM certificate and your private key using OpenSSL. The download link is protected so that it can be downloaded only from your IP address – i.e. the IP address that you have accessed the tool from. The certificate archive file will expire in 2 hours and will be deleted then.
During any phase, you may hit the "Cancel and Start Again!" button to start the whole process from the phase one. Note that in this case, unlike most of the cases of failures, no credits are returned to your Online Domain Tools account.
Using Your Certificate
If you do not run your own web server, your hosting will provide you with the instructions on how to install your certificate to their system.
You can check that your certificate is installed properly by using our TLS/SSL Checker, which will also check the security of your web server setup related to TLS/SSL.
If you are using Apache web server, you may find it helpful to read Apache SSL Installation Instructions by SSL Shopper.
If you are using Microsoft IIS web server, find some helpful information inside How to manually install an SSL certificate in IIS 8.5 by StudioCoast Pty Ltd.
If you want to create your own CSR using OpenSSL, or otherwise use OpenSSL to perform relevant tasks, try reading The Most Common OpenSSL Commands by SSL Shopper.