As the use of HTTPS continues to increase across the Web, we need more support from Certificate Authorities that issue the certificates to make it all work. I'm a huge fan of Let's Encrypt and what they're doing, but if we want to encrypt the entire Web, we can't rely and depend on a single organisation to help us do that. That's why I'm happy to announce another free CA to help us get there!

Existing Options

Of course, Let's Encrypt is my primary recommendation when anyone asks me about a CA. They're free to use, simple and reliable. Something else I always tell everyone though, especially in our TLS/PKI Training, is that you should have a backup CA. Your certificate makes your website work, and if your certificate stops working, your website stops working! There are many reasons a certificate can stop working, with the usual one being expiration, but the fact remains you need a new one. Now, if Let's Encrypt are having a bad day and you can't get a certificate from them for whatever reason, you have a problem. This is why a backup CA is so important, we must have other options.

I've previously spoken about two other CAs that offer free certificates via an ACME API, Buypass and ZeroSSL. You can see the blog posts about each of those two CAs linked there, but today I'm focusing on another option we now have.

We can now bring the total number of CAs that you can use quickly, easily and for free up to four! There are a couple of steps to setup an account on, here's how.

First, register for a free account.

Next, you need to get your API credentials so your ACME client can talk to their API. You can get those here.

Now you can register your ACME client with the API. I'm using the client but the process will be similar no matter which client you choose to use. This is the first command to run to register an RSA account.

scott@Middle-Earth:~$ --register-account --server sslcom -m [email protected] --eab-kid 7a7xxxxxx7e1 --eab-hmac-key h
[Sat 14 Aug 10:29:57 UTC 2021] Create account key ok.
[Sat 14 Aug 10:29:58 UTC 2021] Registering account:
[Sat 14 Aug 10:30:01 UTC 2021] Registered
[Sat 14 Aug 10:30:01 UTC 2021] ACCOUNT_THUMBPRINT='fB-V5_I03s_SLVnsn_ldKxxxxxxxxxxxxxxxxxxxOnY'

Followed by the second command to register an ECC account.

scott@Middle-Earth:~$ --register-account --server sslcom -m [email protected] --eab-kid 7a7xxxxxx7e1 --eab-hmac-key hEAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxGzs --ecc
[Sat 14 Aug 10:30:13 UTC 2021] Registering account:
[Sat 14 Aug 10:30:16 UTC 2021] Registered
[Sat 14 Aug 10:30:16 UTC 2021] ACCOUNT_THUMBPRINT='dghxxxxxxxxxxxxxxxxxxTlA__VN1xxxxxxxxxxxnPk'

You're now ready to go and issue some certificates!!

/home/scott/ --issue --dns dns_cf -d --force --keylength ec-256 --server sslcom

Issuer: SSL Intermediate CA ECC R2,O=SSL Corp,L=Houston,ST=Texas,C=US

One new certificate ready to go and here's the CT log in to show it! This is super easy and only took me a matter of minutes to setup a new CA and get a certificate issued.

Randomising my CA

Just because I can and just because I'm interested, I figured I'd randomise the CA I'm using to be any one of the four that are now available to use for free via ACME. I have a little HP ProLiant server under my stairs that I use for various tasks and projects with one of them being to manage certificates for all of my internal devices. My certificate management is nothing fancy, I just have a few bash scripts running via cron that obtain new certificates and deploy them locally on the server or SCP them to where they need to be on my network devices like my UniFi Dream Machine Pro or my UniFi Protect NVR. I've now added a random selection for which CA will be used so from now on, Let's Encrypt won't be my exclusive CA!

set -e
SERVERS=("zerossl" "letsencrypt" "buypass" "sslcom")
/home/scott/ --issue --dns dns_cf -d --force --keylength ec-256 --server $(shuf -n1 -e "${SERVERS[@]}")

If you're using Certificate Authority Authorisation then don't forget to set the value to let them issue certificates for your domain, but other than that, it's easy!

Update: The CAA value for this CA is