Getting a free SSL certificate for a subdomain [closed]
Solution 1:
There are at least three options for using a certificate with a web or mail server:
Option 0: Obtain a certificate from Let's Encrypt
Let's Encrypt may be a way for you to have free, browser-trusted SSL certificates. This is a new option since this question was asked.
Let's Encrypt works a little differently than other CAs. You install a small agent on your server, and it renews your certificate automatically every few months.
I can't quite tell if this option works yet, because there are a few GitHub issues discussing a change to allow No-IP domains to work with their service:
- letsencrypt/net#12
- letsencrypt/boulder#1479
Even if this doesn't work today, keep an eye on it, because it seems it will be ready soon.
Option 1: Obtain an SSL certificate signed by a certificate authority (CA)
The advantage of using a certificate signed by a CA is that your visitors will automatically trust your certificate. Operating systems and web browsers ship with a list of trusted root certificates, and only certificates signed by those trusted certificates are considered trusted by default.
The disadvantage is that most of the CAs included with major operating systems and browsers charge money for their services.
CAs do offer certificates for subdomains; however, they generally have some sort of simple verification process to prove you have control of that subdomain. Different CAs may have different policies about issuing certs for subdomains of no-ip.org and other dynamic DNS providers.
A small list of potential CAs you might investigate are:
- Namecheap.com
- Go Daddy
- Verisign
- Starfield Technologies
Option 2: Obtain an SSL certificate from a web-of-trust provider
The only web-of-trust provider I'm aware of is CAcert.org. This is a certificate authority that provides free SSL certificates. However, the certificates do not verify anything about your domain until enough other CAcert.org users have verified your identity. Once you've earned enough "assurance points", you can add a name to your certificate and have longer expiration dates.
However, I don't believe CAcert.org's root certificate is included in most browsers by default. Your visitors will need to install this root certificate or else they'll get the Scary Certificate Warning:
Option 3: Generate a self-signed certificate
If you really cannot purchase a certificate, you can create a self-signed certificate. This doesn't require any CA, but others computers will not automatically trust your certificate. Guests visiting a website secured by a self-signed certificate will receive the Scary Certificate Warning.
Depending on your system, there are different ways to do this. If you are using OpenSSL, you can use the instructions provided by Akadia.com:
# Generate a private key
openssl genrsa -des3 -out server.key 1024
# Generate a certificate signing request (CSR)
openssl req -new -key server.key -out server.csr
# Generate the self-signed certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You would then install server.cst in your web server of choice.
Solution 2:
You can get a free certificate for subdomains for 90 days from Comodo SSL. This is the only one I've found that is provided by a ubiquitously trusted certificate authority, free, and valid for subdomains. I've personally used it with my free domain provided by no-ip. Unfortunately it's only valid for 90 days, after that it's $100/year (or less for a multi-year commitment).