Are these certificates really free or is it just a "free trial"?
The certificates are really free - forever. They are provided by Let's Encrypt CA (Certificate Authority).
For how long these certificates are valid?
The certificates validity period is 90 days (you can read why). They can be renewed absolutely free at any time.
Why do I need Let's Encrypt key and what is the "account"?
The account is what Let's Encrypt uses to store the information about certificates you have issued, keep the contact details to let you know about certificate expirations (if you entered your email) and so on. The key is what gives you access to that account. Please note that it is not the kind of account you would be able to log in to - it is intended to be used by the client software you are issuing the certificates with. The account is created directly on Let's Encrypt (NOT on ZeroSSL) by your browser once you proceed to the verification step with the newly generated key from the Details page.
Can I use my own CSR (Certificate Signing Request)?
Yes, absolutely. Just paste it into an appropriate field. There is no need to specify domain names in that case - they will be loaded from the CSR.
Can I use my certificate for anything else than just securing my website?
You can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more. However, email encryption and code signing are not supported, since they require a different type of certificate.
Do you support 'wildcards', so I could use one certificate for any name in my domain?
Wildcards are fully supported by the downloadable ZeroSSL clients (including Windows binaries and the Docker image) and by the Free SSL Certificate Wizard.
Please note the following when trying to issue a wildcard certificate:
- Certificate having a wildcard name on it (as in "*.domain.ext") will have to be verified using DNS verification method for ALL names on that certificate (if you are also adding specific domain names on the same certificate).
- If you choose a HTTP verification method and a wildcard name is found, the method will be automatically changed to DNS.
- If you want a so-called "naked" domain ("domain.ext") covered along with the wildcard ("*.domain.ext"), then put both those names into appropriate field, separated with a space or a comma. Note: on the verification screen you will see that the same DNS text records should be created with two different values - this is normal and this is how you should create them.
Typical errors when trying to issue a wildcard certificate:
- Attempting to use a '*' in the middle of the name. For example - www.*.domain.ext will not work, but *.domain.ext will.
- Attempting to use mutually exclusive names. For example - *.domain.ext and www.domain.ext on the same certificate. Since *.domain.ext already covers www subdomain, you can only use either of those names, but not both.
Keep in mind that you can still add up to 100 domain names on one certificate. When filling in appropriate field of the SSL Certificate Wizard just separate domain names with a comma or a whitespace.
Which browsers will trust my certificate?
All major browsers are supported - see the Compatibility List.
Do I have to enter my email on the first step of the SSL Certificate Wizard?
No, the email field is optional. It might be useful though if you want to receive notifications about upcoming certificate expiration.
What is the verification process?
The verification is a simple process to prove that you own the domain for which you are requesting the certificate. You can choose between HTTP verification, which will require you to place a temporary verification text file (without extension - that is important) on your server, and DNS verification, which will require creating a TXT record in your DNS. In both cases SSL Certificate Wizard will display the required values (the name and content for the file, or the name and the value for the DNS record). With HTTP verification you can also download required file(s) directly from the verification page.
How do I renew?
The renewal process is very similar to the initial issuance. Just use the same account key and CSR you have used previously on the Details page. Please note that you should be using the account key and NOT the domain key (the latter is normally downloadable on the last step along with the certificate file). Once on the last step, download the updated certificate file, place it on your server (replacing the old one) and reload or restart the web-server software.
Do I need to do the verification again when I renew?
The verification results are valid, at the time of writing, for 60 days. If you renew within that period, you should not need to re-verify. Outside of that period you will need to do the verification again. However, it is a very simple process that requires almost no time.
I do not see my domain key on the last step. How do I get it?
If you have generated the CSR on the first step of the process, then on the last step the domain key will certainly be present, along with the certificate file. However, if you are renewing and using the same CSR as before, or if you are using a CSR generated elsewhere, then on the last step you will only see the certificate, but not the corresponding domain key. This is because having the CSR means that you already have the key and extracting it from the CSR to show it to you is not possible anyway.
I have lost my domain key. What to do?
The easiest way to recover is to generate a new CSR and get a new certificate (and a new domain key if the CSR was generated on ZeroSSL).
Can I see the name of my company on the certificate?
Free certificates are of Domain Validation type (DV) and do not hold that information. To have the information about your company, the certificate would need to pass Organization Validation (OV) or Extended Validation (EV). Both require paperwork (such as actual company checks) and cannot be offered for free as a result.