Why can SSL certificates not be free of charge?

SSL certificates provide two things, encryption and authentication. For encryption, any SSL certificate will do. You can use a self-signed certificate which you can make free of charge and it will provide encrypted communication between your server and a client.

The problem is that since it lacks any authentication, an attacker could simply make their own certificate and claim to be the server you want to connect to. Your browser wouldn't know the difference and would connect to the attacker with an encrypted connection and the attacker could then attach to the real server and monitor all your communication.

To avoid this problem, SSL certificates also need to provide authentication and that means that someone has to verify domain ownership and identity information. The policies have to be administered and systems have to be run to handle dealing with lost keys. Relationships also have to be built with browser makers to get the root keys for the certificate authorities in to the applications. This all has costs and so those costs are passed on to those who buy SSL certificates from a Certificate Authority.

In exchange for that cost, the CA verifies the identity of the organization and domain that they are issuing the certificate to. Now back in our original case, the attacker may be able to get between the client and the server, but they can't get the client to connect to their SSL certificate since it isn't trusted and if the client connects with the real SSL certificate, then the encryption kicks in blocking the attacker from being able to monitor what is happening.

More recently, the service Let's Encrypt has appeared and offers a limited selection of free certificates. They are able to do this for three main reasons:

First, they have generous sponsors who support their operating costs. Lack of encryption and trust on the internet has become a growing problem in recent years as attackers have grown increasingly capable. This need, and the cost of dealing with the lack of trust on the internet, has led to Let's Encrypt being able to get funding.

Second, they offer an extremely limited portfolio of certificate options. They lack the facilities for handling EV certificates or even identity validation. They only offer domain validation and only offer extremely short validity periods due to the automated nature of their verification.

Third, they drastically limited their costs by cutting humans out of the equation. Rather than have conventional validation, Let's Encrypt works purely from automated domain level validation via the ACME protocol. This is good enough to establish a low level of trust that the domain server is being run by the same person that controls the domain name, but not good for anything else.

While it is a free option, unless you are certain of the identity of the website operator, it isn't nearly as good or as trust worthy as certificates available from paid CAs who do further identity verification prior to issuing certificates (though it's of equal value to domain validated certificates offered by other CAs, some of which also offer similar automated free or low cost options, though with even greater limitations on the certs offered.)


If you generate your SSL Certificate by yourself, HTTPS/SSL will work, but a browser will issue a warning encouraging the user to not trust the site. There will be no way to tell if the website your visitors are accessing is really who it is. So you need authentication from a Root CA to avoid this problem. To get this authentication you need to pay.
But now things are changing. You can explore the Let's Encrypt project; its aim is to provide a free CA. It will generate legitimate certs that are trusted by a significant percentage of browsers.

enter image description here


You can certainly generate your own SSL certificate. Charges are not for the generation of them; rather the fee is for someone else to say they trust your certificate.

Presentation of a cert doesn't mean anything, it's the chain of trust associated with it that has meaning. You don't know me, and if I gave you a cert that said I'm Bob Smith of www.google.com, you would either trust me (fool!) or not. If I gave you a similar cert that carried the trust of, say, Verisign, if you trust them then you would extend that trust to me. Verisign isn't going to do that for free since they have administrative requirements before they'll trust me enough to relay that trust to you.