The story behind ZeroSSL project
This project was initially created out of the need of new certificates, the interest to Let's Encrypt project, and the challenge presented by the lack of Perl client for obtaining Let's Encrypt certificates. Thing is, despite people saying that "Perl is the only language that looks the same before and after RSA encryption", it is the language I love using in software development. By the way, I believe the quote above is by Keith Bostic (American Software Engineer, NOT the footballer).
So, I had a look at Let's Encrypt, but I found that the client offered at the time did not seem to be convenient to use and required root rights. Naturally, I checked the list of alternative clients. To my surprise, Perl client wasn't there. That didn't look right to me, so I decided to fix it. As a result, the Crypt::LE library and then "le.pl" client were created.
Since I worked with some nice Ops (as in "DevOps") for quite a while, that client was built in a way to provide as much automation and flexibility as possible, including providing hooks, integrating with external modules, and supporting both HTTP and DNS verification out of the box. The client and the library are available on CPAN and GitHub.
While the library worked fine in most environments, I found that on Windows (without Cygwin) the automatic CSR (Certificate Signing Request) creation would fail. That led me first to creating a page generating just CSR, and then to creating the whole in-browser client you can see on ZeroSSL today.
This is the short story behind this service. If you're interested, you can see my LinkedIn profile or check out the Do-Know.com website, where you can find some other interesting tools, such as the "Internet Privacy Test". The very first version of the test was created in 1998 and it is designed to show you what kind of information your browser might be exposing to any site you are visiting.
When and how you might want to use ZeroSSL
First and foremost, let's talk about something that all services on the site have in common. All of them are created as fully client-side tools. What does that mean in practice? That everything runs in your browser, including all the computations related to key generation. Nothing gets sent back to the server. Additionally, once the particular tool/service is loaded, nothing is further loaded from the server while it's been used, except for when keys are being generated - in that case the "workers" are loaded and tasked to do the necessary math. Without workers, the browser would lock up doing the computations with a message that the script became unresponsive.
Now about the key generation: If the key can be generated by the site, it does not mean it has to be - you can use your preferred command line tools to do it. For example, with openssl you could generate a 4096 bits key like this:
openssl genrsa -out key.pem 4096
Important: Before using any particular service, always check the "Learn More" section related to it. For example, you may find out that for certificates intended for use with Amazon AWS Services (such as API Gateway or CloudFront) you need the domain key of 2048 bits. The Free SSL Certificate Wizard would be creating a 4096 bits domain key by default when generating the CSR. So you would need to use "CSR Generator" first and choose 2048 bits there.
A few more words about the Free SSL Certificate Wizard. Please keep in mind that this service is not intended to be a total "replacement" for traditional offline clients or tools, which can provide the levels of automation you simply cannot get with an online interactive client. For example - if you have a substantial amount of domains and you are using separate certificates for those, then renewing them through an online service would hardly be convenient. You will need to automate the process. Also, if there is a chance you will be forgetting about renewals, you might again consider an offline client.
However, there might be cases when you might prefer an online client. It could be because the installation of certain client is impossible or complex, because the learning curve of using particular client seems to be too steep, or maybe you just have one domain and don't want to install anything. It could also be that you need to create a certificate on the go and all you have is your mobile. Finally, you might just like the simplicity of the process that Free SSL Certificate Wizard offers.
Before using it, please make sure that you will be actually able to use the certificate for your domain. For example, if your site is on shared hosting, it might be not possible for you to install the certificate at all, or the hoster might charge you extra for the manual installation.
The language translations for SSL Certificate Wizard interface were provided by:
- Russian by Alexander Yezhov;
- French by Robin Portigliatti;
- Spanish by Miguel Piedrafita;
- German by Bernhard Wunsch;
- Italian by Luca Palano;