How to Install a Free SSL on a Shared Web Host (Step-by-Step)
A few years ago, SSL certification was not as crucial as it is right now, thus many website owners overlooked it. Nowadays, however, not only is it an absolute necessity for search engine optimization, but most browsers will even display a warning page before allowing a user to access a website that does not have an SSL. If you are experiencing technical difficulties with your security layers, understanding why an SSL handshake fails can be the first step toward a solution.
The downside is: purchasing an SSL is quite expensive. Luckily, however, there are a few trusted SSLs out there that are free of charge. Today we will show you how to install a free SSL on your shared hosting service. But first, let us delve into what exactly is an SSL and why data encryption has become the backbone of modern web security.
🔒 What is SSL?
SSL stands for Secure Socket Layer and is the standard technology used for keeping an internet connection between a website and a user secure. It prevents cybercriminals from seeing or modifying any sensitive data sent between two systems. This is done using advanced encryption algorithms that scramble the data and make it unreadable while it is sent between the server and user. If you wish to learn more about SSL certification, check out this detailed blog. It is also important to understand the evolution of security protocols, such as TLS vs SSL, to ensure your server remains compliant with modern standards.
Having an SSL certificate is no longer optional; it is a core component of on-page SEO. Search engines like Google prioritize websites that provide a secure browsing experience for their users. Without it, your site may suffer in rankings and lose user trust immediately upon arrival.
🛠️ How to Install the Free SSL?
To start with, you will need a Linux web hosting account with cPanel to install the certificate. If you are still in the early stages of setting up your online presence, you might want to read our guide on how to create a website to ensure your foundation is solid.
Let’s Encrypt is a free SSL certificate provider and verifier. It is becoming more and more popular among small website owners. Even NASA is using it for some of its smaller sites (i.e. 3000 different sites) thus, you are in safe hands using them. While free options are great for personal projects, larger businesses often prefer a wildcard SSL certificate to cover all subdomains under a single encryption layer.
| Feature | Advantages | Disadvantages |
|---|---|---|
|
Cost |
Free of charge |
May require renewal every 90 days |
|
Security Level |
High encryption |
Not suitable for EV certificates |
|
Ease of Installation |
Automated in many hosting panels |
Sometimes needs manual setup |
|
Browser Compatibility |
Supported by all major browsers |
Some older devices might not support |
|
SEO Impact |
Positive signal for rankings |
Requires regular monitoring |
Step 1: Go to https://zerossl.com/free-ssl/#crt. ZeroSSL is a popular choice for those whose web hosting providers do not offer a native one-click Let's Encrypt button.
Step 2: Enter email address (for renewal reminders). This is crucial because free certificates expire quickly.
Step 3: On the right-hand side, you have a field called “Domains”, add your domain to this. Include mydomain.com and www.mydomain.com. (Don’t include http:// or https://). If you haven't secured your name yet, you can buy a domain directly through our platform.
Step 4: Accept both terms via checkboxes at the bottom, then click “NEXT”.
Step 5: Once CSR is generated (it might take a minute), download a copy. For a deeper dive, you can read our article on what is a Certificate Signing Request.
Step 6: Click “NEXT” again to generate the account key, then download a copy.
Step 7: Click “NEXT” to go to the Verification page.
Step 8: Download the verification text files. These files prove you own the domain.
Step 9: Head to your cPanel and click on File Manager and go to your root folder. (If you are doing this for an addon domain, then just go to the root of that domain. TIP: it is wherever your index.html or index.php for that domain is). This process is similar across most hosting control panels.
Step 10: Go to webroot/.well-known directory, where webroot is the main directory with your website pages and create a folder named 'acme-challenge' in .well-known.
Step 11: Upload the verification text files to the webroot/.well-known/acme-challenge/ directory.
Step 12: Click “NEXT” to reach the “Your Certificate is Ready!” page.
Step 13: Download backup copies of the two files.
Step 14: Go to cPanel, scroll down to SECURITY and click “SSL/TLS”. This area allows you to manage all aspects of your site's safety.
Step 15: Scroll down and click “Manage SSL sites”.
Step 16: Scroll down to “Install an SSL Website” and select the appropriate domain.
Step 17: Return to ZeroSSL, copy the top “Begin Certificate” and paste it on the Certificate: (CRT) field (first one).
Step 18: You just pasted TWO entries. Scroll to the bottom of what you pasted, select from the lowest “ — -END CERTIFICATE — -“ up to the lowest “ — -BEGIN CERTIFICATE — -“ and paste that “CABUNDLE” field.
Step 19: Copy the Private Key from the 2nd ZeroSSL field and paste it in the middle “Private Key” field.
Step 20: Click the “Install Certificate” button at the bottom.
⚠️ Common Installation Mistakes to Avoid
- Forgetting the WWW version: Always include both the root domain and the www version in your certificate request.
- Hidden Folders: Ensure your File Manager shows hidden files so you can see the
.well-knowndirectory. - Expired Certificates: Mark your calendar! Free SSLs usually expire every 90 days, and failing to renew will trigger "Not Secure" warnings.
- Incorrect File Path: Double-check that the
acme-challengefolder is correctly placed in the.well-knowndirectory.
Now, the installation of the certificate is complete, however, you will need to create a rule to redirect your site to https:// instead of http://. This is easily achieved by adding a bit of code into the .htaccess (Hypertext Access) file. If you are using a CMS, you might find our guide on WordPress default htaccess useful. Follow the simple steps outlined below:
Step 1: Go to cPanel and click on the file manager.
Step 2: On the root folder, create a new file called “.htaccess”. You might have this file already, in that case, edit that file. To understand more about this file's power, check out what are htaccess files and their uses.
Step 3: Insert the following lines of code into the .htaccess file and save the changes. This is the standard method for a redirect from http to https.
RewriteEngine OnRewriteCond %{HTTPS} offRewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Step 4: Test whether it worked by typing http://mydomain.com. It should change to https://mydomain.com automatically. If it doesn't work, you might be facing a HTTPS not secure error, which often relates to mixed content.
Important Note: Remember to update the SSL certificate every 90 days. If you find manual updates too tedious, consider upgrading to a managed hosting plan where SSL management is handled automatically for you.
💡 Pro Tips for Web Security
- Enable HSTS: Once your SSL is stable, consider enabling HTTP Strict Transport Security (HSTS) to force browsers to interact with your site only via HTTPS.
- Check for Mixed Content: Use tools like "Why No Padlock" to ensure all images and scripts are loading over HTTPS.
- Monitor Expiry: Use an external monitoring service to alert you 10 days before your certificate expires.
- Backup: Always take a backup in WordPress or your respective CMS before editing the
.htaccessfile.
🏁 Conclusion
Hopefully, now you have a better understanding of the concept of an SSL and why it's important to have one on your site. By following the simple steps outlined in this tutorial you should also now be able to install a free SSL on your website, even if it uses shared hosting. A secure site is the first step in how to secure a website properly.
If you run into any issues during the installation process or have any questions/suggestions, please leave them in the comment section below. Remember, web security is an ongoing journey, not a one-time task. Stay updated with our latest security tips to keep your data and your users safe.