If you want to improve your SEO and your visitors’ perception of your site’s security, you can now get a free SSL certificate. After you make the switch, your website’s URL will change from http:// to https:// and most browsers will show the “padlock” symbol in the address bar. In a post-Snowden world, all of the major tech companies are supportive of encrypting as much of the web as possible. The idea is to combat blanket surveillance by making encrypted traffic the norm, so that truly sensitive data doesn’t raise Big Brother’s eyebrows only because it’s encrypted.
Even if you’re not running an e-commerce site, it makes sense to implement a free SSL certificate to protect your WordPress login, which is transmitted over plain-text by default. And what do you have to lose? It has never been easier to switch your site to HTTPS, and as recently as a few years ago, free SSL was unheard of. In Aug 2014, Google publicly announced that their algorithm treats HTTPS as a ranking signal. This means sites who have installed an SSL certificate will have a slight edge over their competitors in the SERPs.
Free SSL Certificates from Let’s Encrypt
Let’s Encrypt is an industry partnership to create a free Certificate Authority (CA). Most CAs, such as GoDaddy, Thawte and Verisign charge an yearly fee for their SSL certificates, in theory to cover the cost of validating your domain and contact information. In reality, most Domain Validation (DV) certificates are issued without any human intervention, and the validation process is as simple as sending an email to your admin email address or asking you to upload a file on your web server.
If you need the “green bar” Extended Validation (EV) certificate indicating that your business info was also confirmed by the CA, try one of the providers above. Otherwise, Let’s Encrypt’s free SSL certificates provide the same level of security as a purchased SSL certificate. Because Let’s Encrypt includes IdenTrust’s root certificates when it signs its own certificates, Let’s Encrypt SSLs are trusted by over 98% of all browsers, including Chrome, Firefox, Internet Explorer and Microsoft Edge.
Step-by-Step Guide to a Free SSL Certificate from Let’s Encrypt
Ready to get started? Here’s how you can get your very own free SSL certificate.
1. Make sure your domain’s admin email is set up.
Your web host will require that the admin email address (email@example.com) is set up to generate the Certificate Signing Request which we’ll need in the next step. The easiest way to do this is by setting up an “Email Forwarder” in cPanel, if your domain is pointed to your web host’s name servers. Instead, if your DNS records are managed by your domain registrar, you can check if your registrar offers free email forwarding.
2. Contact your web host to generate a Certificate Signing Request (CSR).
Open a ticket or live chat with your web host’s support department and ask them to generate a CSR for the domain you want to set up HTTPS on. The CSR will be sent to your admin email address. If you don’t receive it in a couple of minutes, check your Spam box.
Using shared hosting? Do you need a dedicated IP? No. Some web hosts insist you need a dedicated IP to install a SSL certificate in an attempt to upsell you to a more expensive plan. Any browser after Windows XP supports SSL SNI, a feature that enables multiple domains sharing the same IP address to have different SSL certificates.
Our web host A Small Orange supports SSL SNI and gave us no trouble at all when we asked them to install the Let’s Encrypt certificate. They will have it done in a couple of minutes if you contact them with the necessary information via live chat.
3. Generate a RSA public and private key to identify yourself to Let’s Encrypt.
To make a Certificate Signing Request to Let’s Encrypt, they require you to create a 4,096 bit RSA public and private key that will be associated with your Let’s Encrypt account.
You can think of the public key as your username, and the private key as your password. In fact, the private key is even more secret than a password, because you never tell Let’s Encrypt the private key. Instead, only you can “sign” any request you make to Let’s Encrypt with your private key (this is done via the command line on your own computer).
Record your public and private key (keypair) in a safe place. Nobody else can help you recover your private key and you will always need the keypair to renew or revoke your SSL certificate with Let’s Encrypt in the future.
4. Complete the Get HTTPS for Free wizard.
Follow the steps in the Get HTTPS for Free wizard to make the certificate signing request to Let’s Encrypt. Once you have completed the first four steps, the Signed Certificate and Intermediate Certificate will appear under Step 5. You will provide these two key blocks to your web host for them to install the SSL certificate on your domain.
Read each instruction carefully and check for any typos. If you make a mistake in any step, you will need to begin the wizard again.
Step 1: Account Info
Enter your admin email address in the “Account Email” text box. Then, copy and paste the public key (begins with —–BEGIN PUBLIC KEY—–) you generated earlier into the “Account Public Key” text field. Click “Validate Account Info”.
Step 2: Certificate Signing Request
Copy and paste the Certificate Signing Request (begins with —–BEGIN CERTIFICATE REQUEST—–) your web host emailed to you into the “Certificate Signing Request” text field. Click “Validate CSR”.
Step 3: Sign API Requests
The wizard will present you with three API requests you will need to sign using your private key (begins with —–BEGIN PRIVATE KEY—–) using the openssl library. Although a Windows version of the library is available, most Linux distributions come with openssl preinstalled so that is what the wizard assumes you are using. We used the latest version, Ubuntu 16.04 LTS in a VMware virtual machine.
First, copy and paste your private key into a text file and save it as “account.key”. In the same directory, open a Terminal window, run the three commands presented to you by the wizard, paste the corresponding output (beginning with (stdin)=) into each text box. Click “Validate Signatures”.
Step 4: Verify Ownership
Like other CAs, Let’s Encrypt requires you to prove you own the domain you want to obtain an SSL certificate for. If you have verified a domain with the Google Search Console before, the process is similar.
The easiest way to prove domain ownership is by choosing Option 2, marked “file-based” verification. Using FTP, upload a text file with the folder and file name exactly as shown. The text file must also contain the string of text given by Let’s Encrypt.
Once you are serving the file on your website, you need to sign one more API request using the terminal to ask Let’s Encrypt to check the validation file exists on your website. Like earlier, run the displayed command in your Linux terminal and paste the output into the text box.
Finally, click “I’m now running this on…” to proceed.
Step 5: Install Certificate
If you completed everything correctly, Let’s Encrypt will issue a SSL certificate for your domain. Copy and paste the Signed Certificate and Intermediate Certificate into a text file for your reference, then contact your web host with these details.
Once your web host installs the SSL certificate, visit your domain beginning with “https:” but no “www.” and you should see the padlock symbol, indicating your website is secure.
Important Note: Let’s Encrypt Certificates Expire Every 90 Days
All Let’s Encrypt certificates are valid for only 90 days, which may come as a surprise if you’re used to paid SSL certificates that don’t expire for a year or more. Keep this guide handy to obtain a new SSL certificate every 90 days, to ensure your visitors don’t see a security warning when they visit your website. The 90 days is not a trial period; renewing a Let’s Encrypt SSL is always free.
Best Practices for Using SSL with WordPress
Under Settings > General in your WP dashboard, change WordPress Address (URL) and Site Address (URL) to your new address beginning with https://
Add, verify and submit a sitemap for your new https:// address with Google Webmaster Tools. Contrary to popular belief, you cannot use the Change of address tool to indicate a protocol change, only when you are moving a site to a different domain.
Featured image used under Creative Commons License, courtesy of Yuri Samoilov