What an SSL Certificate Actually Is (and Why You Don't Need to Buy One)

Free SSL is the 2026 default. Verify your cert, set auto-renew, and skip paid-CA upsells with these Caddy / Nginx / curl / openssl commands.

SSL certificates used to be a real line item: roughly $50 to $200 a year just for the https:// padlock. As of June 2026, paying for one is wasted money in almost every indie context. Let’s Encrypt, Google Trust Services, and Cloudflare hand out free, browser-trusted certificates, and a paid DigiCert DV cert (which starts around $300/year) is cryptographically identical to the free one. This guide gives you the mental model, the exact commands to verify your cert, and the self-host configs if you are not on a managed platform.

TL;DR

  • Do not buy a certificate. Your host (Vercel, Firebase, Netlify, Cloudflare Pages, Render, Fly) auto-provisions a free one. For a non-hosted origin, put it behind Cloudflare or run Caddy/Certbot.
  • Free = paid, security-wise. Same algorithms, same publicly trusted roots, same browser padlock. There is no “more secure” certificate you can buy for a static site.
  • The only job is automated renewal. Let’s Encrypt certs are still 90 days by default in June 2026, but the validity window is shrinking (45-day profile is now opt-in; see below). Manual renewal is no longer realistic — let your platform or ACME client handle it.
  • EV certificates are pointless for indies. Browsers removed the green “company name” bar back in 2019. Visitors cannot tell EV from a free DV cert.

What an SSL (TLS) certificate is

An SSL certificate — technically a TLS certificate; “SSL” is the legacy name that stuck — is a cryptographic file that proves the domain you are connecting to controls the matching private key. Browsers trust certificates issued by a Certificate Authority (CA) in their root store. Let’s Encrypt and Google Trust Services are free, automated, publicly trusted CAs. Most modern hosts request and renew a certificate from one of them on your behalf using the ACME protocol, so you never touch a key file.

Do you already have working SSL? How to tell

  • Your site loads over https:// with a padlock — you already have working SSL. Done.
  • Your host dashboard says “certificate active” or “SSL provisioned” — done.
  • Your registrar emailed you a “limited-time SSL discount” — that is a sales pitch, not a requirement.
  • Your browser shows “Not secure” — almost always a config or mixed-content issue, not a missing-purchase issue.
  • openssl s_client -connect yourdomain.com:443 returns a valid chain — verified at the protocol level.

Quick verdict

Do not buy an SSL certificate as an indie developer. Use the free one your host provides (Vercel, Firebase, Netlify, Cloudflare Pages), or front your origin with Cloudflare. Paid certificates only make sense for organizations that specifically need OV/EV identity validation, a warranty, or vendor support contracts — almost no indie site does.

Free vs paid certificate authorities (June 2026)

ProviderCostValidityRenewalTrust
Let’s EncryptFree90 days (default); 45-day & 6-day profiles opt-inAutomated (ACME)All major browsers
Google Trust ServicesFree~90 daysAutomated (ACME)All major browsers
Cloudflare Universal SSLFreeManaged by CloudflareFully automaticAll major browsers
ZeroSSL / BuypassFree tier90 daysAutomated (ACME)All major browsers
Sectigo DV~$8–$100/yr1 year (398-day cap)Manual or ACMEAll major browsers
DigiCert DV/OV/EVfrom ~$300/yr1 yearManual or ACMEAll major browsers

The padlock and the encryption are identical across every row. What you pay for at the bottom is identity validation paperwork and a support contract, not a “stronger” certificate.

Before you start

  • Domain points at your host correctly (DNS resolves — check with dig yourdomain.com).
  • The host’s “Add domain” flow is completed.
  • curl and openssl are installed for verification.

Step by step

  1. Most hosts auto-provision. On Vercel, Netlify, Firebase, Cloudflare Pages, Render, or Fly, add the domain and wait for “SSL provisioned” — usually under an hour after DNS is correct. You do nothing else.

  2. Verify with curl:

curl -vI https://yourdomain.com 2>&1 | grep -E 'subject:|issuer:|HTTP|Verify return code'
# subject: CN=yourdomain.com
# issuer: C=US, O=Let's Encrypt, CN=R11
# HTTP/2 200
# Verify return code: 0 (ok)

The issuer CN is now R10 through R14 for Let’s Encrypt RSA certs (the old R3/R4 intermediates were retired in favor of the new “Generation Y” hierarchy rolled out from late 2025). ECDSA certs show E5E9. A Cloudflare-fronted site may show Google Trust Services instead — both are free and equally trusted.

  1. Or inspect details with openssl:
echo | openssl s_client -showcerts -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates
# subject= /CN=yourdomain.com
# issuer= /C=US/O=Let's Encrypt/CN=R11
# notBefore=Jun  1 00:00:00 2026 GMT
# notAfter=Aug 30 00:00:00 2026 GMT       <- 90 days, the current Let's Encrypt default
  1. Self-host on a VPS — use Caddy (zero-config Let’s Encrypt, auto-renew built in):
# /etc/caddy/Caddyfile
yourdomain.com {
    root * /var/www/yoursite
    file_server
    encode gzip
}

www.yourdomain.com {
    redir https://yourdomain.com{uri} permanent
}

Reload with sudo systemctl reload caddy. Caddy provisions the certificate on first request and renews indefinitely, so it copes automatically with shorter cert lifetimes.

  1. Self-host with Nginx — use Certbot:
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
# follow prompts: agree to terms, Certbot edits Nginx config and installs a renewal timer
sudo systemctl list-timers | grep certbot
# certbot.timer ... (renew check runs twice daily)

Confirm renewal works without actually renewing:

sudo certbot renew --dry-run
  1. Cloudflare-fronted origins — set “Full (strict)” SSL mode. Dashboard → SSL/TLS → Overview → “Full (strict)”. This requires a valid certificate on your origin (a Let’s Encrypt cert or a free 15-year Cloudflare Origin CA cert). Never use “Flexible”: it sends plain HTTP between Cloudflare and your origin, which is insecure and breaks redirect loops.

  2. Force the HTTPS redirect. Most hosts do this automatically. Caddy redirects by default. For Nginx:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}
  1. Monitor expiration as a safety net. Even with auto-renew, a weekly cron that checks days-remaining catches a broken renewal before visitors do:
# scripts/cert-expiry-check.sh
EXPIRY=$(echo | openssl s_client -servername "$DOMAIN" -connect "$DOMAIN:443" 2>/dev/null \
  | openssl x509 -noout -enddate | sed 's/notAfter=//')
DAYS=$(date -d "$EXPIRY" +%s)
NOW=$(date +%s)
REMAINING=$(( (DAYS - NOW) / 86400 ))
[ "$REMAINING" -lt 14 ] && echo "WARN: $DOMAIN cert expires in $REMAINING days"

The validity window is shrinking — plan for automation, not calendars

Certificate lifetimes are getting shorter across the whole industry, which makes manual renewal a liability. The key Let’s Encrypt dates, per its official roadmap:

  • Jan 15, 2026 — 6-day short-lived certificates and IP-address certificates went generally available (opt-in shortlived profile; renew every ~3 days).
  • May 13, 2026 — the tlsserver ACME profile began issuing 45-day certificates as an opt-in choice.
  • June 2026 (now) — the default certificate is still 90 days. Nothing breaks if you do nothing.
  • Feb 10, 2027 — the default profile is scheduled to drop to 64-day certificates.
  • Feb 16, 2028 — the default profile is scheduled to reach 45-day certificates.

Practical takeaway: as long as Caddy, Certbot, or your platform handles ACME renewal automatically, these changes are invisible to you. If anything ever depends on a 90-day assumption (a hardcoded reminder, a 90-day script), retire it now.

Implementation checklist

  • curl -vI returns a valid cert with the expected CN and Verify return code: 0 (ok).
  • openssl x509 -noout -dates shows a future notAfter.
  • Auto-renew confirmed via certbot renew --dry-run, Caddy logs, or your platform’s docs.
  • Cloudflare SSL mode is “Full (strict)” if you front your origin with Cloudflare.
  • HTTP automatically redirects to HTTPS (301).

After-launch verification

  • Browser padlock with no warnings.
  • SSL Labs Server Test returns at least an A.
  • Mixed-content warnings are zero (DevTools → Console). One http:// asset turns the padlock into a warning.

Common pitfalls

  • Paying your registrar $50/year for a DV cert. It is the same Let’s Encrypt-grade certificate your free host installs automatically. Pure margin for them.
  • Buying an EV certificate for an indie blog. Browsers removed the green company-name bar in 2019; visitors cannot tell EV from a free DV cert. You are paying for paperwork no one sees.
  • Disabling auto-renew and forgetting. A Let’s Encrypt cert dies in 90 days (and shorter soon). Visitors hit a hard NET::ERR_CERT_DATE_INVALID error the moment it lapses.
  • Using “Flexible” SSL on Cloudflare. It means plain HTTP between Cloudflare and your origin — insecure and a frequent cause of redirect loops. Always “Full (strict)”.
  • Pinning a specific certificate (HPKP-style) without controlling renewal. Auto-renewal swaps the cert and your pin breaks silently. Don’t pin unless you own the rotation.

FAQ

  • Are free certificates as secure as paid ones?: Yes. They use the same cryptographic algorithms, chain to the same publicly trusted roots, and are trusted identically by every major browser. The padlock is byte-for-byte the same experience.
  • How long do Let’s Encrypt certs last?: 90 days by default as of June 2026. A 45-day profile is opt-in (started May 13, 2026), and 6-day short-lived certs are generally available for those who want them. Automation renews them; you should never think about it.
  • What is the difference between SSL and TLS?: TLS is the modern protocol; SSL is the older name that stuck. An “SSL certificate” today is a TLS certificate — the terms are used interchangeably.
  • My issuer says R11, not R3 — is that wrong?: No. Let’s Encrypt retired the R3/R4 intermediates and now signs RSA certs with R10–R14 (the “Generation Y” hierarchy). ECDSA certs use E5–E9. All are normal and trusted.
  • Do I need a wildcard certificate?: Only if one certificate must cover many subdomains. Let’s Encrypt issues wildcards via the DNS-01 challenge, and most managed hosts handle subdomain certs for you anyway.
  • What about HSTS preload?: .dev and .app TLDs are preloaded — browsers refuse plain HTTP on them entirely. For other TLDs you opt in by serving the Strict-Transport-Security header and submitting at hstspreload.org.

Tags: #Indie dev #Domain #SSL #Getting started