Note: This method does NOT work anymore, although DigiCert is working on their on way to get free certificates under freessl.com
If you are active in this industry, you have probably gotten into at least one argument if you should pay for SSL or not. Before Let's Encrypt was a thing, paying for a SSL certificate was the standard. Many smaller websites didn't want or couldn't pay for an expensive certificate, often costing 50€ or more. This lead to insecure websites and in 2012 two Mozilla employees decided to change that. A few months later, Let's Encrypt was born. It offers automated SSL certificate issuance in under 10 seconds for anyone with a domain and a web server for free. Many SaaS companies started using it to provide HTTPS encryption for free and without the client having to do anything.
That said, people were sceptical. Can a company that does not charge users survive when it has to deliver thousands of certificates today? Another drawback of Let's Encrypt its certificates are only valid for 3 months. That means that, if you do not use a tool that automates that process, you have to request a new certificate every 90 days. For these reasons, many websites today pay for SSL certificates from trusted CAs like Sectigo, GoDaddy, GeoTrust and DigiCert.
Not that long ago, DigiCert launched a new product called "Encryption Everywhere" for SaaS providers to offer SSL certificates to clients for free. An example is 1&1 ionos which gives users free DigiCert certificates with the purchase of a domain.
These certificates are normal DigiCert certificates trusted by all major browsers and operating systems but they do not offer a warranty like the paid certificates.
With the following steps, you can get such a certificate in a few minutes completely for free.
Step 1: Go to freessl.cn
These certificates can't be obtained from DigiCert directly, you need to find a provider that obtains the certificate from DigiCert and delivers it to you.
The only provider I found is FreeSSL.cn and because the website is in Chinese, you might have trouble navigating the website on your own so look at the next steps to get your certificate.
Step 2: Enter your domain name
Type your domain name into the white field that has a green padlock and https:// text.
Then click on the green button.
Step 3: Select DigiCert
The site also provides Let's Encrypt and Trust Asia certificates. Because we want DigiCert certificates, select DigiCert below the domain input box.
Step 4: Enter your Email address
You will be redirected to the next step of the process. You can see multiple checkboxes with mostly Chinese writing next to them. Leave these options unchanged.
In the white box, input your Email address but do not click on the green button yet.
Step 5: Install KeyManager
To store the generated certificates on your computer, FreeSSL uses KeyManager, a free local certificate management tool. Download it from keymanager.org, open it and click on the globe in the upper right.
Then, select English from the dropdown and the software will be switched to a language that you can understand.
Enter the same password in the first two fields and type a password hint in the third input. Then, click on Start.
You will see a generated recovery key. Note it down or take a photo and click on "I have finished storing it" (the blue button).
KeyManager is now set up.
Step 6: Save certificate key
Now return to FreeSSL.cn, click on the green button and KeyManager will be opened. Wait until a green message pops up and switch to your browser again.
Click on the blue button on the website and a new site should appear.
Step 7: DNS verification
Next, switch to your DNS provider (usually your registrar or CloudFlare) and create a new TXT entry called "_dnsauth". For the value, switch back to FreeSSL and copy the value of the below marked field.
Next, click on the blue button to make DigiCert check if you have set up the DNS record.
Step 8: The certificate
If you have set up the DNS record correctly, you should be greeted with the certificate and CA bundle after about half a minute.
Click on the blue button that contains "KeyManager". KeyManager should open and present you the certificate. To use it, click on "Export", select what you want to use it for and "Export" again.
Congratulations, you now have a valid DigiCert certificate that is valid for 1 year.
If you had issues following the tutorial, feel free to reach out to me on Twitter and I'll happily help you: twitter.com/thatmarcelbraun