No signup requiredRuns entirely in-browserWildcard-ready
Why use FreeSSL.cfd
A simpler way to request SSL certificates.
FreeSSL.cfd keeps the certificate workflow focused and easy to follow. Instead of burying the important steps, it walks you through provider selection, validation, and file download in one place.
Fast start
No local install step and no complicated onboarding before you can begin a certificate request.
Flexible validation
Use DNS or HTTP validation depending on your environment and complete certificate requests with a workflow built for live deployments.
Everything in one place
Download the certificate, private key, and recovery log together when the request is complete.
How it works
Request, validate, download.
Start the guided flow, enter your details, follow the validation instructions, and download your files when the certificate is issued.
Who it is for
Made for people who want less friction.
Whether you are securing one site or handling recurring renewals, the interface is built to make the ACME process easier to manage.
FAQ
Common questions
Do I need to create an account?
No. You can start the certificate request flow directly in the browser.
Does it support wildcard certificates?
Yes. Wildcard domains are supported through DNS validation.
What do I get at the end?
You can download the certificate, the private key, and a recovery log for future reuse.
Let's Encrypt:
请按照下面的操作步骤提示进行申请即可得到证书,证书有效期90天。Please follow the operation steps prompts below to apply, and you can get the certificate, which is valid for 90 days.
ZeroSSL:
此URL可能需要先根据下面的提示进行操作来消除跨域不能访问的问题。This URL may need to be operated according to the prompts below to eliminate the problem of cross-domain inaccessibility.申请证书前,你需要根据ZeroSSL的官方文档,先注册ZeroSSL账号并生成一个EAB凭据,每次申请证书时使用此EAB凭据,按照下面的操作步骤提示进行申请即可得到证书,证书有效期90天。Before applying for a certificate, you need to follow ZeroSSL's official documents, register a ZeroSSL account and generate an EAB credential, and use this EAB credential every time you apply for a certificate, follow the operation steps prompts below to apply, and you can get the certificate, which is valid for 90 days.
Google Trust Services:
此URL可能需要先根据下面的提示进行操作来消除跨域不能访问的问题。This URL may need to be operated according to the prompts below to eliminate the problem of cross-domain inaccessibility.申请证书前,你需要根据Google的官方文档,在Google Cloud中生成一个EAB凭据,每次申请证书时使用此EAB凭据,按照下面的操作步骤提示进行申请即可得到证书,证书有效期90天。Before applying for a certificate, you need to follow Google's official documents, generate an EAB credential in Google Cloud, and use this EAB credential every time you apply for a certificate, follow the operation steps prompts below to apply, and you can get the certificate, which is valid for 90 days.注意:因为同一个Google EAB凭据只能绑定到一个ACME账户(私钥),因此你在首次申请证书时,必须同时保存好在第二步操作中新创建的或手动填写的ACME账户私钥,下次申请证书时使用此EAB凭据必须和已保存的ACME账户私钥一起使用。Note: Because the same Google EAB credential can only be bound to one ACME account (Private key), when you apply for a certificate for the first time, you must also save the newly generated or manually filled ACME account private key in the second step, this EAB credential must be used together with the saved ACME account private key when applying for a certificate next time.
读取服务目录Read service directory
步骤二:证书配置Certificate Request
初始化中,请稍候...Preparing your certificate request...
提示:可拖拽上次保存的记录文件以自动填充。Drag a previously saved log file onto this page to restore a past request instantly.
*证书中要包含的域名:Domains to include
用逗号分隔多个域名。第一个域名会作为证书的通用名称。通配符域名需要DNS验证。Separate multiple domains with commas. Wildcards require DNS validation.
*证书的私钥:Private key:
生成或填写的私钥仅用于ACME接口签名,支持RSA(2048位+)、ECC(曲线)私钥;注意:证书私钥的类型决定了申请到的证书是RSA证书还是ECC(ECDSA)证书,RSA类型适用性更广也更常见;本客户端不会对此私钥进行保存或发送给其他任何人;证书签发后在部署到服务器时,需使用到此私钥;建议每次申请证书时均生成新的证书私钥。The generated or filled private key is only used for ACME interface signature, and supports RSA (2048-bit+) and ECC ( curve) private keys; Note: The type of certificate private key determines whether the applied certificate is an RSA certificate or a ECC(ECDSA) certificate, RSA type is more widely applicable and more common; this client will not save or send this private key to anyone else; this private key needs to be used when deploying to the server after the certificate is issued; it is recommended to generate a new certificate private key every time you apply for a certificate.
*ACME账户的私钥:Private key of ACME account:
生成或填写的私钥仅用于ACME接口签名,支持RSA(2048位+)、ECC(曲线)私钥;账户私钥类型对证书无影响;本客户端不会对此私钥进行保存或发送给其他任何人;一个私钥相当于一个账户,可用于吊销已签发的证书;建议每次申请证书时使用相同的一个私钥(这样短期内多次申请证书时,验证域名所有权的参数极有可能会保持相同),不过每次都生成一个新的私钥大部分情况下也不会有问题。The generated or filled private key is only used for ACME interface signature, and supports RSA (2048-bit+) and ECC ( curve) private keys; the account private key type has no effect on the certificate; this client will not save or send this private key to anyone else; A private key is equivalent to an account and can be used to revoke an issued certificate; it is recommended to use the same private key every time you apply for a certificate (in this way, the parameters used to verify the domain name ownership are likely to remain identical when multiple certificate applications are made in a short period of time); However, generating a new private key every time will not be a problem in most cases.注意:如果你选择的ACME服务(比如Google)要求提供EAB凭据并且限制了同一个EAB凭据只能绑定到一个ACME账户(私钥),那每次使用此EAB凭据时必须使用相同的一个私钥(首次时如果新创建了私钥,此新私钥需立即保存起来下次和此EAB凭据一起使用)。Note: If the ACME service you choose (such as Google) requires EAB credentials and limits the same EAB credentials to only one ACME account (private key), then you must use the same private key every time you use this EAB credential (if you generate a new private key for the first time, this new private key needs to be saved immediately and used with this EAB credential next time).
*ACME账户的联系邮箱:Contact email
此邮箱地址用于证书颁发机构给你发送邮件,比如:证书过期前的续期通知提醒。FreeSSL will send a reminder before your SSL certificate expires if you select that option in Step 3.
EAB凭据:EAB Credentials:
当前ACME服务要求提供外部账号绑定凭据(External Account Binding),比如ZeroSSL:你可以在ZeroSSL的管理控制台的 Developer 中获得此凭据,所以你需要先注册一个ZeroSSL的账号。The current ACME service requires external account binding credentials, such as ZeroSSL: You can obtain this credentials in the Developer of the ZeroSSL management console, so you need to register a ZeroSSL account first.
*EAB KID:
*HMAC KEY:
确定Continue
步骤三:验证域名所有权Domain Validation
等待中,请先完成第二步...Complete the request step above before starting validation.
请给每个域名选择一个你合适的验证方式(推荐采用DNS验证,比较简单和通用),然后根据显示的提示完成对应的配置操作。Choose a validation method for each domain, complete the required DNS or HTTP changes, and only start validation after every record is ready.
请每个域名选择好对应的验证方式,根据显示的提示进行对应的配置操作;必须所有域名配置完成后,再来点击下面的“开始验证”按钮进行验证,如果验证失败,需要返回第二步重新开始操作。Give DNS changes time to propagate before starting validation. If validation fails, return to the previous step and create a fresh request.
开始验证Start validation取消Cancel重试Retry
步骤四:下载保存证书PEM文件Download Files
等待中,请先完成第三步...Complete validation above before downloading your files.
*保存证书PEM文件:Certificate file
必须保存此文件,请点击下载按钮下载,或者将证书文本内容复制保存为文件(PEM纯文本格式);文件名后缀可改成 .crt 或 .cer,这样在Windows中能直接双击打开查看。本PEM格式文件已包含你的域名证书、和完整证书链,文本中第一个CERTIFICATE为你的域名证书,后面的为证书颁发机构的中间证书和根证书,如过有需要你可以自行拆分成多个.pem文件。Download this PEM bundle or paste it directly into your hosting or reverse proxy configuration.
下载保存Download
*保存证书私钥KEY文件:Private key
请点击下载按钮下载,或者将私钥文本内容复制保存为文件(PEM纯文本格式,.key后缀可自行修改成.pem)。如果第二步操作中你手动填写了证书私钥,此处的证书私钥和你填写的是完全一样的,可以不需要重复保存;如果你是新创建的证书私钥,则你必须下载保存此证书私钥文件。Keep this key secure. Download it now if a new key was generated during this request.
下载保存Download
*保存记录LOG文件:Recovery log
建议下载保存此文件,本记录文件包含了所有数据,包括:证书PEM文本、证书私钥PEM文本、账户私钥PEM文本、所有配置参数。下次你需要续签新证书时,可以将本记录文件直接拖拽进本页面,会自动填写所有参数。Save this file for future renewals. You can drag it back onto the page later to restore the request settings.
