Free SSL Certificates with SSL For Free

Since Chrome (in version 57) and Firefox are starting to distrust Startcom for SSL, you may need to switch to another certificate authority. In this case we are going to use the LetsEncrypt CA through the website.


Go to and enter the url you wish to create a certificate for (you will need to already own the domain), before clicking the "Create Free SSL Certificate" button.

For this tutorial, we are going to perform manual verfication by adding DNS records. This is because I want to be able to create certificates for sites in my local dev environment that are not accessible on the public web. Click the Manual Verification (DNS) option.

The section below will appear on the page after you clicked the button in the previous step. Click "Manually Verify Domain".

You will now see a section like below. Click the option "I Have My Own CSR".

Configure Your DNS

Navigate to your DNS configuration interface (in my case I go to my domain registrar, namecheap).

Create a new TXT record with the appropriate name and value that was given to you. For example, the screenshot above shows a name of so I will enter the host value of (because the domain automatically gets appended), and a value of GzfxOlbCtW0la1CgIvpQ_bXW-k3ajPwCCHe_QSoUjHw

Generate A CSR

Use the following script to generate a CSR and private key.


openssl req -new -newkey \
rsa:2048 \
-keyout $MY_SITE.key \
-out $MY_SITE.csr

echo ""
echo "decrypting key"

openssl rsa \
-in $MY_SITE.key \
-out $MY_SITE.decrypted.key

Open the .csr file in a text editor and copy the contents into the web form.

Check The TXT Record Has Propagated

Whilst you were generating your CSR, hopefully the TXT record has propagated. Check this by using the command like below:

dig TXT

If successful, you should get a response that contains something like below:

;; ANSWER SECTION: 59 IN TXT "GzfxOlbCtW0la1CgIvpQ_bXW-k3ajPwCCHe_QSoUjHw"

I use this method because using the sit's verify link always came back telling me it couldn't find the TXT record. I think it may be having an issue with subdomains.

Click Submit

Once you see that the TXT record has propagated, click the Download SSL Certificate button and you will be shown a page like below:

Copy and paste the certificate and CA Bundle textareas into appropriate files and use them in conjunction with the private key you generated earlier, to set up your Nginx or Apache webserver.



Stuart is a software developer with a passion for Linux and open source projects.

comments powered by Disqus
We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to and affiliated sites. More info.