Login
Menu

Free TLS/SSL Certificates: How to Get and Auto-Renew Them

Free TLS is real, standard, and production-grade. For the common case – a domain-validated certificate that turns `http://` into `https://` – a free certificate delivers exactly the same encryption as a paid one. The browser shows the same padlock, the connection uses the same cipher suites, and an attacker on the wire is stopped just as effectively. There is no “lite” cryptography for free certificates.

This guide is the practical, technical companion to the question of whether paid SSL is worth it. Here we focus on one thing: how free TLS actually works and how to get it onto your site at no cost – from automatic issuance on cPanel hosting, to running `certbot` yourself on a VPS, to the single most important detail that trips people up: auto-renewal.

Key Takeaways
Free TLS = the same encryption as paid for the common DV (Domain Validation) case. You are not getting weaker security.
• The three main sources are Let’s Encrypt (a free, automated CA via the ACME protocol), ZeroSSL, and hosting-provided AutoSSL (cPanel auto-issues and auto-renews certs for you).
• On cPanel hosting, HTTPS is usually automatic – AutoSSL handles issuance and renewal with zero effort.
• On a VPS, use certbot (`certbot –nginx` or `certbot –apache`) to issue and configure the certificate in one command.
• Free certs are valid for 90 days by design, so auto-renewal (a certbot timer/cron or AutoSSL) is essential – set it once and never think about expiry again.
• Free TLS covers DV only. It does not provide OV/EV business-identity validation.

What Is Free TLS and Is It the Same as Free SSL?

The terms SSL and TLS are used interchangeably in everyday language, but technically TLS (Transport Layer Security) is the modern protocol that replaced the older SSL. When someone says “SSL certificate” today, the actual encryption is almost always done with TLS. So free TLS and free SSL refer to the same thing: a certificate that enables encrypted HTTPS connections at no cost.

What matters is the validation type. A free certificate is a Domain Validation (DV) certificate. The issuing authority confirms one thing – that you control the domain – then issues the certificate automatically. That single check is enough to secure the connection. It is *not* enough to vouch for your company’s legal identity, which is what paid OV and EV certificates do. We cover that trade-off below and in our companion piece on whether paid certs are worth the cost.

For the vast majority of sites – blogs, portfolios, brochure sites, small stores, APIs, internal tools – DV is exactly what you need, and free is the correct choice.

Where Does Free TLS Come From? The Main Sources

Free TLS is not a single product. It comes from a few well-established sources, and the right one depends on whether you are on managed hosting or a server you control.

Let’s Encrypt

Let’s Encrypt is a free, automated, non-profit certificate authority. It is the engine behind most free TLS on the internet. Instead of a manual buy-and-install workflow, it uses the ACME protocol – a standardized way for a client on your server to prove domain control and receive a certificate programmatically. This automation is the whole point: it makes issuing and renewing certificates a script, not a chore.

ZeroSSL

ZeroSSL is another free certificate authority that also speaks ACME, so it works with the same kind of automated clients. It is a common alternative or fallback to Let’s Encrypt, and some hosting control panels can pull from it as a secondary source. From a security standpoint, a DV certificate from ZeroSSL is equivalent to one from Let’s Encrypt.

Hosting-Provided AutoSSL

If you are on cPanel shared hosting, you likely already have free TLS without doing anything. AutoSSL is a cPanel feature that automatically issues and renews DV certificates (typically from Let’s Encrypt) for the domains on your account. It checks coverage on a schedule, requests certificates for any domain that lacks one, and renews them before they expire. This is the zero-effort path: HTTPS appears, and it stays on.

Comparison: Free TLS Sources and Methods

Source / Method How you get it Best for Renewal Effort
AutoSSL (cPanel) Automatic on the host Shared/managed hosting users Automatic (host-managed) None
Let’s Encrypt + certbot Run `certbot` on your server VPS / dedicated server admins certbot timer or cron One-time setup
Let’s Encrypt (DNS challenge) certbot with a DNS plugin Wildcards, internal hosts certbot + DNS API Moderate
ZeroSSL (ACME) ACME client / panel integration Alternative or fallback CA ACME client timer One-time setup

Why Do Free Certificates Expire Every 90 Days?

Here is the detail that surprises people new to free TLS: Let’s Encrypt certificates are valid for only 90 days. That sounds like a downside compared to the one- or multi-year certificates of the past. It is actually the opposite, and understanding why reframes the whole topic.

The short lifetime is deliberate, and the entire design philosophy is built around automation. Two reasons drive it. First, shorter lifetimes limit damage if a key is ever compromised – a stolen certificate is useless within weeks rather than years. Second, and more importantly, a 90-day window is too short to renew by hand comfortably, which *forces* you to automate. Once renewal is automated, it does not matter whether the certificate lasts 90 days or 90 hours – the machine handles it.

So the “problem” of short validity is really the solution in disguise. The free TLS ecosystem traded long manual certificates for short automated ones, and the result is HTTPS that maintains itself. The practical takeaway: set up auto-renewal once, and you never think about certificate expiry again. On cPanel, AutoSSL already does this. On a VPS, certbot installs a renewal timer for you. The failure mode people hit is not “free certs are weak” – it is “someone disabled the automation,” and then a certificate quietly lapsed.

How Do You Get Free TLS on cPanel Hosting?

On most cPanel hosting, the answer is you already have it, or it takes one click.

AutoSSL runs in the background. When you add a domain or subdomain, AutoSSL detects it on its next run and requests a free DV certificate for it. You can also trigger it manually:

  • In cPanel, open SSL/TLS Status.
  • Select the domains you want covered.
  • Click Run AutoSSL.

Within a few minutes the domains show a valid certificate, and `https://` works. From then on, renewal is automatic – AutoSSL re-checks and re-issues well before the 90-day expiry. There is no cron job to write and no command to run. This is why managed hosting is the simplest route to free TLS: the host owns the automation.

How Do You Get Free TLS on a VPS with Certbot?

On a VPS or dedicated server, you control the stack, so you run the ACME client yourself. The standard tool is certbot, the official Let’s Encrypt client. It can both issue the certificate and configure your web server in a single command.

For Nginx:

“`bash sudo certbot –nginx -d example.com -d www.example.com “`

For Apache:

“`bash sudo certbot –apache -d example.com -d www.example.com “`

certbot proves domain control (usually over HTTP), fetches the certificate, edits your web server config to use it, and can set up an automatic HTTP-to-HTTPS redirect. After it finishes, the site serves HTTPS.

Set up and confirm auto-renewal. Modern certbot installs a systemd timer (or a cron entry) automatically, so renewal usually needs no extra work. Verify it with a dry run:

“`bash sudo certbot renew –dry-run “`

If that succeeds, your renewals will too. You can inspect the timer with `systemctl list-timers | grep certbot`. The renewal command itself – which the timer runs for you – is simply:

“`bash sudo certbot renew “`

It only renews certificates that are close to expiry, so it is safe to run often. This one-time setup is the entire difference between “free TLS that maintains itself” and “free TLS that lapses in three months.”

Can You Get a Free Wildcard Certificate?

Yes. A wildcard certificate (`*.example.com`) secures every subdomain under one certificate, and Let’s Encrypt issues wildcards for free. The catch is the validation method: wildcards require a DNS-01 challenge, meaning you prove control by creating a special DNS TXT record rather than answering over HTTP.

With certbot, that looks like:

“`bash sudo certbot certonly –manual –preferred-challenges dns -d “*.example.com” -d example.com “`

certbot gives you a TXT record to add to your DNS zone, verifies it, then issues the wildcard. For hands-off renewal, use a DNS plugin for your provider (so certbot can create the TXT record automatically) – otherwise the manual method requires you to update DNS each renewal, which defeats the automation. DNS-challenge wildcards are the standard way to cover many subdomains, or to secure internal hosts that are not reachable over public HTTP.

What Does Free TLS Not Cover?

Free TLS does its core job completely: encryption and domain authentication. But it has clear boundaries, and knowing them prevents disappointment.

  • No organization validation (OV/EV). Free certs are DV only. They confirm domain control, not your company’s legal identity. If you need a vetted business name in the certificate – common in finance, healthcare, or enterprise commerce – that is a paid OV/EV product, not a free one.
  • No warranty. Paid certificates often include a financial warranty from the CA. Free certificates do not.
  • Community support, not a vendor SLA. Free CAs offer documentation and community help, not a named support contact. (Managed hosting with free SSL fills this gap, because your *host* supports you.)
  • Short validity by design. As covered above, 90 days is a feature, not a flaw – but it means automation is mandatory, not optional.

None of these are security weaknesses. They are the trust-signal and support layers that paid certificates add on top of the identical encryption. For a deeper breakdown of when those layers justify the cost, see our companion guide.

Free SSL on Every DarazHost Plan – HTTPS With Zero Effort

You should not have to manage certificate automation to get HTTPS. Every DarazHost hosting plan includes free SSL, powered by AutoSSL – automatic Let’s Encrypt issuance *and* automatic renewal. Add a domain, and the certificate provisions itself; before each 90-day expiry, it renews silently. The padlock simply stays on, with no cron jobs to babysit and no command line required.

Prefer to run things yourself? DarazHost VPS plans give you full root access, so you can install certbot and issue, configure, and auto-renew Let’s Encrypt or ZeroSSL certificates exactly the way you want – including DNS-challenge wildcards. Whether you want the host to handle TLS automatically or you want to drive `certbot –nginx` by hand, free SSL is available on every plan, backed by 24/7 support from a team that knows the difference between a DV cert and a DNS challenge.

Want HTTPS that maintains itself? make free, auto-renewing TLS the default.

How Do You Make Sure Free TLS Never Expires?

The single rule of free TLS is: automate renewal once, then verify it works. Everything else is detail.

  • On cPanel: confirm AutoSSL is enabled and your domains appear in SSL/TLS Status. The host handles renewal.
  • On a VPS: confirm certbot’s timer is active and run `sudo certbot renew –dry-run` to prove renewals will succeed.
  • For wildcards: use a DNS plugin so renewal does not need manual TXT edits.
  • Monitor as a backstop: an external uptime/SSL monitor that alerts on approaching expiry is cheap insurance against a broken automation job.

Do those, and the 90-day cycle becomes invisible. The certificate refreshes itself indefinitely, and `https://` stays green without your involvement.

Frequently Asked Questions

Is free TLS as secure as a paid certificate?

For encryption, yes – identically. A free DV certificate from Let’s Encrypt or ZeroSSL uses the same TLS protocol versions, cipher suites, and key strengths as a paid DV certificate. The difference is validation level (free is DV only) and the warranty/support that paid certificates add, not the strength of the cryptography protecting your visitors’ data.

Why do Let’s Encrypt certificates only last 90 days?

The short lifetime is intentional. It limits the damage window if a key is ever compromised, and it makes manual renewal impractical – which pushes everyone toward automation. Once renewal is automated (via a certbot timer, cron, or AutoSSL), the 90-day cycle is invisible. The certificate renews itself before each expiry without any action from you.

Do I have to use the command line to get free TLS?

No. On cPanel hosting with AutoSSL, free TLS is issued and renewed automatically with no commands at all – it is fully managed by the host. The command line (`certbot`) is only needed when you run your own VPS or dedicated server and want to issue and configure certificates yourself.

Can I get a free wildcard certificate for all my subdomains?

Yes. Let’s Encrypt issues free wildcard certificates (`*.example.com`), but they require a DNS-01 challenge – you prove control by adding a DNS TXT record. Use a certbot DNS plugin for your provider so the record is created and renewed automatically; otherwise you would have to update DNS by hand at each renewal.

What is the difference between AutoSSL and certbot?

AutoSSL is a cPanel feature that automatically issues and renews free certificates for you on managed hosting – zero effort, no commands. certbot is the official Let’s Encrypt client you run yourself on a VPS or server you control, giving you full command over issuance, web-server configuration, and renewal. AutoSSL is the hands-off route; certbot is the hands-on one.

The Bottom Line

Free TLS is the standard, not a compromise. For the common DV case, it delivers the same encryption as any paid certificate, and getting it is genuinely easy: on cPanel, AutoSSL does it automatically; on a VPS, one certbot command issues and configures it. The only rule that matters is auto-renewal – because free certificates last 90 days by design, you set the automation up once so HTTPS maintains itself forever. Reserve paid certificates for the specific cases where you need verified business identity, a warranty, or formal support; for everything else, free TLS is the right, secure default.

About the Author
Chloe Martin

Leave a Reply