How to Get a Free SSL Certificate for Your Website

Having is an SSL certificate is becoming important nowadays to gain trust from the customer. Already, trusted browsers like Google Chrome have started to show Not Secure on the URL bar if the website does not have an SSL certificate installed on the server for the website.

For websites accepting an online payment from their customer by selling some product, having an SSL certificate is mandatory to protect their e-commerce transaction data.

Getting an SSL certificate in the past used to cost money.
However, some providers now offer it free to make the internet a safe place.

If it is for your blog or making a small business website, almost likely everyone wants to keep the server and website costs lower.

You get it free of cost. Why not use it and secure the data on your website to make the internet world safer for everyone?

How to get a free SSL certificate?

The answer is simple. There are multiple ways you can get a free SSL certificate in 2022.

We will take you through the step-by-step guide here to show you how you can get it and install it on your server.


I usually write down the article for Laravel developers in this blog. Laravel framework requires a server that can be easily accessible through an SSH connection.

I use Digital Ocean for almost all of my Laravel applications. So I heavily recommend Laravel developers to use it as it is pretty good for the Laravel framework to host with them.

  • Have a VPS server like Digital Ocean, Linode, Vultr, etc.
  • The example I will use it with the Nginx server.
  • A Cloudflare account setup.

So, if you already have a site and want an SSL certificate to be installed and configured, then you are at the right place here.

Step 1 - Generating an Origin CA TLS Certificate from Cloudflare

Cloudflare offers a free TLS certificate signed by them to install on your Nginx server.

The primary use of this TLS certificate is to establish a secure connection between your server and Cloudflare's servers.

Log in to your Cloudflare account in any secure web browser. Go to select your particular domain. Then, navigate to the SSL/TLS section on the dashboard.

Right there, navigate to the Origin Server tab, and click on the Create Certificate button.

Keep the selected option Generate private key and CSR with Cloudflare by default.

Now, click Create button, and on the next page, you will see the Origin Certificate and Private key.

You need to copy the generated content on those two particular keys and save it on your server.

Due to security reasons, the Private key will not show again, copy both of the keys to your server and make sure you keep the backup before you decide to click Ok.

We will take the /etc/ssl directory to keep the origin certificate and the private key files on the server.

The folder already exists on the server. Go to copy the key on the Origin Certificate and save it to /etc/ssl/cert.pem

sudo nano /etc/ssl/cert.pem

Similarly, save the private key.

sudo nano /etc/ssl/key.pem

Note: Be sure to avoid blank lines when copying the keys for the relevant certificates.

Now that you copied the key and certificate files to your server, you need to update the Nginx configuration to use them.

Step 2 - Pointing the Origin CA Certificate to Nginx

You need to update the Nginx configuration for your site to use the origin certificate and private key to secure the connection between Cloudflare’s servers and your server.

Next, you need to make sure the UFW allows HTTPS traffic.

You need to Enable Nginx Full, which will open both port 80 (HTTP) and port 443 (HTTPS)

sudo ufw allow 'Nginx Full'

Now reload UFW

sudo ufw reload

Now, you need to check the new rules are allowed and that UFW is active.

sudo ufw status

The output looks like below.

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)           ALLOW       Anywhere (v6)

Now you are ready to adjust your Nginx server block. Nginx creates a default server block during installation. Remove it if it still exists, as you’ve already configured a custom server block for your domain.

sudo nano /etc/nginx/sites-available/site_domain

The basic configuration on the file should look like this.

server {
        listen 80;
        listen [::]:80;

        root /var/www/site_domain/html;
        index index.html index.htm index.nginx-debian.html;

        server_name site_domain www.site_domain;

        location / {
                try_files $uri $uri/ =404;

Here, the job is to modify the Nginx configuration file to follow the following instructions below.

  • Listen to port 80 and redirect all requests to use HTTPS.
  • Listen to port 443 and communicate with the certificate files added in the previous stage.

The file modification looks like below.

server {
    listen 80;
    listen [::]:80;
    server_name site_domain www.site_domain;
    return 302 https://$server_name$request_uri;

server {

    # SSL configuration

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate         /etc/ssl/cert.pem;
    ssl_certificate_key     /etc/ssl/key.pem;

    server_name site_domain www.site_domain;

    root /var/www/site_domain/html;
    index index.html index.htm index.nginx-debian.html;

    location / {
            try_files $uri $uri/ =404;

Finally, save the file and exit from the edit mode.

Now, test the Nginx configuration syntax to avoid errors.

sudo nginx -t

After all, when there are no syntax errors. You can reload the Nginx configuration to enable the changes on the server.

sudo systemctl restart nginx

Enable up Full (strict) mode on the SSL/TLs section on the dashboard.

Go to the Overview tab under SSL/TLS section on the dashboard.

By setting this up, Cloudflare always encrypts the connection between your server and their servers.

Finally, visit your website to validate the setup is working as intended.

The browser should report that the site is secure.

Step 3 - Set up Authenticated Origin Pulls

We need to set up Authenticated Origin Pulls to validate the origin server taking the Cloudflare rather than others.

We are validating the certificate from Cloudflare here.

Download the Cloudflare certificate signed by a CA from Cloudflare’s documentation.

Create this certificate in the path /etc/ssl/cloudflare.crt and save, avoid the blank lines on the file.

Again, update your Nginx configuration to use TLS Authenticated Origin Pulls to validate the requests coming to the server.

Open the configuration file for your domain.

sudo nano /etc/nginx/sites-available/site_domain

Add the ssl_client_certificate and ssl_verify_client directives as shown below and save the file.

. . .

server {

    # SSL configuration

    ssl_client_certificate /etc/ssl/cloudflare.crt;
    ssl_verify_client on;

    . . .

Verify the Nginx configuration and reload the server to enable the changes.

sudo nginx -t

sudo systemctl restart nginx

Finally, go to SSL/TLS section in the Cloudflare dashboard, open the Origin Server tab and toggle the Authenticated Origin Pulls option.

Visit your domain to validate your changes and to test the changes toggle between the Authenticated Origin Pulls option in the Cloudflare dashboard.


Thanks for reading up to the end. We hope this article helped to secure another website to the internet world.

Happy Coding!