Are these certificates really free or is it just a "free trial"?

The certificates are really free - forever. They are provided by Let's Encrypt CA (Certificate Authority).

For how long these certificates are valid?

The certificates validity period is 90 days (you can read why). They can be renewed absolutely free at any time.

Why do I need Let's Encrypt key and what is the "account"?

The account is what Let's Encrypt uses to store the information about certificates you have issued, keep the contact details to let you know about certificate expirations (if you entered your email) and so on. The key is what gives you access to that account. Please note that it is not the kind of account you would be able to log in to - it is intended to be used by the client software you are issuing the certificates with. The account is created directly on Let's Encrypt (NOT on ZeroSSL) by your browser once you proceed to the verification step with the newly generated key from the Details page.

Can I use my own CSR (Certificate Signing Request)?

Yes, absolutely. Just paste it into an appropriate field. There is no need to specify domain names in that case - they will be loaded from the CSR.

Can I use my certificate for anything else than just securing my website?

You can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more. However, email encryption and code signing are not supported, since they require a different type of certificate.

Do you support 'wildcards', so I could use one certificate for any name in my domain?

Wildcards are fully supported by the downloadable ZeroSSL clients (including Windows binaries and the Docker image) and by the Free SSL Certificate Wizard.

Please note the following when trying to issue a wildcard certificate:

  • Certificate having a wildcard name on it (as in "*.domain.ext") will have to be verified using DNS verification method for ALL names on that certificate (if you are also adding specific domain names on the same certificate).
  • If you choose a HTTP verification method and a wildcard name is found, the method will be automatically changed to DNS.
  • If you want a so-called "naked" domain ("domain.ext") covered along with the wildcard ("*.domain.ext"), then put both those names into appropriate field, separated with a space or a comma. Note: on the verification screen you will see that the same DNS text records should be created with two different values - this is normal and this is how you should create them.

Typical errors when trying to issue a wildcard certificate:

  • Attempting to use a '*' in the middle of the name. For example - www.*.domain.ext will not work, but *.domain.ext will.
  • Attempting to use mutually exclusive names. For example - *.domain.ext and www.domain.ext on the same certificate. Since *.domain.ext already covers www subdomain, you can only use either of those names, but not both.

Keep in mind that you can still add up to 100 domain names on one certificate. When filling in appropriate field of the SSL Certificate Wizard just separate domain names with a comma or a whitespace.

Which browsers will trust my certificate?

All major browsers are supported - see the Compatibility List.

Do I have to enter my email on the first step of the SSL Certificate Wizard?

No, the email field is optional. It might be useful though if you want to receive notifications about upcoming certificate expiration.

What is the verification process?

The verification is a simple process to prove that you own the domain for which you are requesting the certificate. You can choose between HTTP verification, which will require you to place a temporary verification text file (without extension - that is important) on your server, and DNS verification, which will require creating a TXT record in your DNS. In both cases SSL Certificate Wizard will display the required values (the name and content for the file, or the name and the value for the DNS record). With HTTP verification you can also download required file(s) directly from the verification page.

I am receiving an "Invalid response" error when trying to verify my site. Links to verification files show correct content. What's wrong?

When using HTTP verification, the content of the verification files is expected to be exactly as downloaded/shown on ZeroSSL. Some server configurations might interfere with the process though - for example by serving an error page if the file without an extension is requested. In that case your web server configuration needs to be changed. However, if you see the content (by using the links shown on the verification step) as expected, but still getting the verification error quoting an "Invalid response" (especially if it mentions "aes.js"), this might mean that your server is showing the content in frames. This is often the case when your hosting is set up with "cloaking" or "domain masking". This can also happen if your host has some sort of "bots protection" enabled (such as Test-Cookie Nginx module, used by Byet Host for example), which will only display the page correctly if JavaScript is supported by the client, which is not the case for the verification agents. Visually the content of the verification file in such cases looks right, but to the verification server it has HTML code which should not be there. You can double-check whether that is the case by using "View source" option in your browser when checking your verification files. You will need to either disable the "cloaking" (or "bots protection") for the HTTP verification to work or use DNS verification as an alternative in such scenario.

I have installed the certificate correctly, but my site is not shown as "Secure" - why?

The most likely reason for this is that you are still loading some resources, such as images for example, via HTTP. Browsers in this case will show "Mixed content" errors in the developers console. If you do not want to use developer tools, you can easily check which resources those might be by using "Why No Padlock?" service. You can read more about "Mixed Content" and how to prevent it here.

How do I renew?

The renewal process is very similar to the initial issuance. Just use the same account key and CSR you have used previously on the Details page. Please note that you should be using the account key and NOT the domain key (the latter is normally downloadable on the last step along with the certificate file). Once on the last step, download the updated certificate file, place it on your server (replacing the old one) and reload or restart the web-server software.

Do I need to do the verification again when I renew?

The verification results are valid, at the time of writing, for 60 days. If you renew within that period, you should not need to re-verify. Outside of that period you will need to do the verification again. However, it is a very simple process that requires almost no time.

I do not see my domain key on the last step. How do I get it?

If you have generated the CSR on the first step of the process, then on the last step the domain key will certainly be present, along with the certificate file. However, if you are renewing and using the same CSR as before, or if you are using a CSR generated elsewhere, then on the last step you will only see the certificate, but not the corresponding domain key. This is because having the CSR means that you already have the key and extracting it from the CSR to show it to you is not possible anyway.

My server/console shows an error saying that the private key does not match the certificate. What did I do wrong?

The most common mistake is using your "account key" instead of the "domain key" when installing the certificate. Your "account key" is what you enter (or generate) on the first step of the process and it is only used for further renewals - you never use it for your server configuration. Your "domain key" is what you download at the last step along with the certificate when you issue that certificate for the first time and not using a CSR made earlier. If you are using a CSR generated earlier or created elsewhere, you will not see a "domain key" on the last step, because you already have it from the previous time (or from when you created that CSR elsewhere).

Another potential cause of that error, especially if you are seeing it in cPanel or similar system, is that you might be pasting the certificate file as-is, instead of splitting it in two (as explained on the last step of the process). Your certificate file contains the certificate for your domain and the issuer's certificate (called "CA Bundle" in cPanel). So for cPanel and some old web-servers you need to split the certificate file and paste the first part (with its BEGIN and END lines) into the certificate field, while pasting the second part into a "CA Bundle" field (also sometimes named as "Intermediate certificate" or "Certificate chain").

I have lost my domain key. What to do?

The easiest way to recover is to generate a new CSR and get a new certificate (and a new domain key if the CSR was generated on ZeroSSL).

Can I see the name of my company on the certificate?

Free certificates are of Domain Validation type (DV) and do not hold that information. To have the information about your company, the certificate would need to pass Organization Validation (OV) or Extended Validation (EV). Both require paperwork (such as actual company checks) and cannot be offered for free as a result.

Back to Certificate Wizard