https://scotthelme.co.uk/heres-another-free-ca-as-an-alternative-to-lets-encrypt/ * Home * Speaking * Training * Media * Contact * Sponsor * * * * Subscribe Sponsored by: Want to sponsor my site? Click here for more info! ACME Here's another free CA as an alternative to Let's Encrypt! * Scott Helme Scott Helme Security researcher, entrepreneur and international speaker who specialises in web technologies. More posts by Scott Helme. Scott Helme Scott Helme 19 Aug 2021 * 4 min read As the use of HTTPS continues to increase across the Web, we need more support from Certificate Authorities that issue the certificates to make it all work. I'm a huge fan of Let's Encrypt and what they're doing, but if we want to encrypt the entire Web, we can't rely and depend on a single organisation to help us do that. That's why I'm happy to announce another free CA to help us get there! Existing Options Of course, Let's Encrypt is my primary recommendation when anyone asks me about a CA. They're free to use, simple and reliable. Something else I always tell everyone though, especially in our TLS/ PKI Training, is that you should have a backup CA. Your certificate makes your website work, and if your certificate stops working, your website stops working! There are many reasons a certificate can stop working, with the usual one being expiration, but the fact remains you need a new one. Now, if Let's Encrypt are having a bad day and you can't get a certificate from them for whatever reason, you have a problem. This is why a backup CA is so important, we must have other options. I've previously spoken about two other CAs that offer free certificates via an ACME API, Buypass and ZeroSSL. You can see the blog posts about each of those two CAs linked there, but today I'm focusing on another option we now have. [image-6] SSL.com We can now bring the total number of CAs that you can use quickly, easily and for free up to four! There are a couple of steps to setup an account on SSL.com, here's how. First, register for a free account. [image-3] Next, you need to get your API credentials so your ACME client can talk to their API. You can get those here. [image-4] Now you can register your ACME client with the SSL.com API. I'm using the acme.sh client but the process will be similar no matter which client you choose to use. This is the first command to run to register an RSA account. [email protected]:~$ acme.sh --register-account --server sslcom -m [email protected] --eab-kid 7a7xxxxxx7e1 --eab-hmac-key h EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxGzs [Sat 14 Aug 10:29:57 UTC 2021] Create account key ok. [Sat 14 Aug 10:29:58 UTC 2021] Registering account: https://acme.ssl.com/sslcom-dv-rsa [Sat 14 Aug 10:30:01 UTC 2021] Registered [Sat 14 Aug 10:30:01 UTC 2021] ACCOUNT_THUMBPRINT='fB-V5_I03s_SLVnsn_ldKxxxxxxxxxxxxxxxxxxxOnY' Followed by the second command to register an ECC account. [email protected]:~$ acme.sh --register-account --server sslcom -m [email protected] --eab-kid 7a7xxxxxx7e1 --eab-hmac-key hEAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxGzs --ecc [Sat 14 Aug 10:30:13 UTC 2021] Registering account: https://acme.ssl.com/sslcom-dv-ecc [Sat 14 Aug 10:30:16 UTC 2021] Registered [Sat 14 Aug 10:30:16 UTC 2021] ACCOUNT_THUMBPRINT='dghxxxxxxxxxxxxxxxxxxTlA__VN1xxxxxxxxxxxnPk' You're now ready to go and issue some certificates!! /home/scott/acme.sh/acme.sh --issue --dns dns_cf -d sslcom-demo.scotthelme.co.uk --force --keylength ec-256 --server sslcom Subject: CN=sslcom-demo.scotthelme.co.uk Issuer: CN=SSL.com SSL Intermediate CA ECC R2,O=SSL Corp,L=Houston,ST=Texas,C=US -----BEGIN CERTIFICATE----- MIIE3jCCBGSgAwIBAgIQXwe4TbSr/OT1NIJdzXuvajAKBggqhkjOPQQDAzBvMQsw CQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xETAP BgNVBAoMCFNTTCBDb3JwMSswKQYDVQQDDCJTU0wuY29tIFNTTCBJbnRlcm1lZGlh dGUgQ0EgRUNDIFIyMB4XDTIxMDgxOTA5MTE1N1oXDTIxMTIwMTA5MTExNVowJzEl MCMGA1UEAwwcc3NsY29tLWRlbW8uc2NvdHRoZWxtZS5jby51azBZMBMGByqGSM49 AgEGCCqGSM49AwEHA0IABHUP4CFgZPXy8uZ7DsACKX3vs3vilM3TEU89quR1DoL7 1O7V0FtBHcs7qYL8IQVI7kHs+XTFepdj2HJkVmjr4IijggMoMIIDJDAfBgNVHSME GDAWgBQNdGYKXp/iLOzVwl0lBH91Mrr/fTBxBggrBgEFBQcBAQRlMGMwPwYIKwYB BQUHMAKGM2h0dHA6Ly9jZXJ0LnNzbC5jb20vU1NMY29tLVN1YkNBLVNTTC1FQ0Mt Mzg0LVIyLmNlcjAgBggrBgEFBQcwAYYUaHR0cDovL29jc3BzLnNzbC5jb20wJwYD VR0RBCAwHoIcc3NsY29tLWRlbW8uc2NvdHRoZWxtZS5jby51azBRBgNVHSAESjBI MAgGBmeBDAECATA8BgwrBgEEAYKpMAEDAQEwLDAqBggrBgEFBQcCARYeaHR0cHM6 Ly93d3cuc3NsLmNvbS9yZXBvc2l0b3J5MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDATBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3Jscy5zc2wuY29tL1NT TGNvbS1TdWJDQS1TU0wtRUNDLTM4NC1SMi5jcmwwHQYDVR0OBBYEFIt0k8bwGO+1 n034I0dkoRWqsSZpMA4GA1UdDwEB/wQEAwIHgDCCAXwGCisGAQQB1nkCBAIEggFs BIIBaAFmAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF7Xbea SwAABAMARzBFAiEAiyE1SNTQwTmRvVykP/UwEhWEQaB+OK8YgAvdB35D0noCIA2E xp1utn71m8FVyC1hV1liUBCzH5LqXZtsyr+2xLiaAHUARJRlLrDuzq/EQAfYqP4o wNrmgr7YyzG1P9MzlrW2gagAAAF7XbeaJwAABAMARjBEAiBajOP6SU25q66Fu764 W0oylvWsNJQ+qswm4p7eG70CUgIgbEvnjrRFMfHiCKVhhMH8EvDqd673DmJCYl+N dia4oYEAdQDuwJXujXJkD5Ljw7kbxxKjaWoJe0tqGhQ45keyy+3F+QAAAXtdt5qV AAAEAwBGMEQCIAE9zgcNTDbHVVY4pABhABZqKroKnz2onMLGuFYQw2WPAiBx4B46 LHySyUAid40jk5MkoF+XvqxTanBb+O02PIJoiDAKBggqhkjOPQQDAwNoADBlAjAs FJAlEzOYGS9QGCMAvv/dsgrXCcaTtd3RMFkhiYCmP03Uk9dAmUT6TecAcmbWuHkC MQC2LPc1hxTb85cnTm5tICB8SA3NAgo+53dLcpGoBOpioB2Fs9UhfS7b2dz6xPOC +b8= -----END CERTIFICATE----- One new certificate ready to go and here's the CT log in crt.sh to show it! This is super easy and only took me a matter of minutes to setup a new CA and get a certificate issued. Randomising my CA Just because I can and just because I'm interested, I figured I'd randomise the CA I'm using to be any one of the four that are now available to use for free via ACME. I have a little HP ProLiant server under my stairs that I use for various tasks and projects with one of them being to manage certificates for all of my internal devices. My certificate management is nothing fancy, I just have a few bash scripts running via cron that obtain new certificates and deploy them locally on the server or SCP them to where they need to be on my network devices like my UniFi Dream Machine Pro or my UniFi Protect NVR. I've now added a random selection for which CA will be used so from now on, Let's Encrypt won't be my exclusive CA! #!/bin/bash set -e SERVERS=("zerossl" "letsencrypt" "buypass" "sslcom") /home/scott/acme.sh/acme.sh --issue --dns dns_cf -d homeassistant.scotthelme.co.uk --force --keylength ec-256 --server $(shuf -n1 -e "${SERVERS[@]}") If you're using Certificate Authority Authorisation then don't forget to set the ssl.com value to let them issue certificates for your domain, but other than that, it's easy! If you want to get notified when I publish a new blog, please consider subscribing! Tags: ACME, SSL.com Please enable JavaScript to view the comments powered by Disqus. Upcoming Events Practical TLS and PKI (USA/EU TZ Remote) 6th - 9th July Practical TLS and PKI (EMEA/Pacific TZ Remote) 13th - 16th September Practical TLS and PKI (USA/Canada TZ Remote) 20th - 23rd September Cheat Sheets CSP Cheat Sheet HSTS Cheat Sheet HTTPS Cheat Sheet Performance Cheat Sheet Projects Report URI Security Headers Why No HTTPS? Crawler.Ninja HTTP Forever BMW M140i Follow * * * * * * * * * * * * * * * * * More in ACME * Introducing another free CA as an alternative to Let's Encrypt 20 Nov 2020 - 3 min read * Let's Encrypt to transition to ISRG root 16 Apr 2019 - 7 min read * Having a backup CA for Let's Encrypt 4 Jan 2019 - 5 min read See all 3 posts - Setting up HTTPS on the UniFi Protect NVR Free Post Ubiquiti Setting up HTTPS on the UniFi Protect NVR I recently wrote about setting up a new CCTV system for my house using the UniFi Protect range and like all good bits of kit, it comes with a web * Scott Helme Scott Helme Scott Helme 13 Aug 2021 * 3 min read License CC BY-SA 4.0 to scotthelme.co.uk Thanks for supporting me and my work! Great, you're subscribed! Perhaps you'd also consider supporting my work? Welcome back! You've successfully signed in. Wow! Thanks for the support! Success! Your billing info is updated. Billing info update failed.