ZeroSSL – Affordable SSL Certificate Creation and Management (REST API Review)
ZeroSSL is for anyone who wants the fastest way to secure their site, server, or other platform without hassle or paying outrageous prices. A part of Apilayer’s robust cloud-based ecosystem, ZeroSSL is indefinitely scalable, capable of creating thousands of SSL certificates and processing millions of API requests per month with almost zero downtime.
When you sign up with ZeroSSL, you’ve got a wide range of pricing options to fit your needs, but there’s zero obligation walking in the door. In fact, if you’re a solo-preneur or just need basic SSL protection, you’ll be absolutely good to go with their Free tier, which offers 90-day certificates you can trust.
Whether you’re looking for a user-friendly web app interface to manage your certificates; you’re a developer looking to automate creation, validation, and renewals; or you’re just looking for a world-class support team to handle everything for you, ZeroSSL is well worth your consideration. Below, we take a look under the hood at what it’s like to use ZeroSSL, and how well it performs.
ZeroSSL features at a glance
As a product, ZeroSSL stands out along six primary axes:
- Fully-fledged SSL certificates, issued by a trusted certificate authority. Regardless of what type of site, server, or platform you run, there’s a compatible SSL certificate available for you. ZeroSSL is multi-domain friendly, and even supports wildcards for protecting subdomains. Both 90-day and 1-year certificates are available.
- Flexible validation, to ensure that absolutely everyone has access to SSL protection that works for their needs. This includes email, DNS, and HTTP file uploads.
- Easy installation, with broad programming language compatibility, an unnecessarily awesome Help Center chock-full of assistive resources, installation checks to really, actually ensure nothing went wrong, plus concierge onboarding for paying customers.
- A powerful web-based management console, from which you can manage all aspects of your various certificates. Here, you can easily set expiration reminders, view validation statuses, access the API documentation, or change your subscription. Moreover, you can create, validate, and install your certificates with just a few clicks.
- Constant SSL monitoring, which allows you to ensure your site or server is always protected. Automated health checks are run on each of your active SSL certificates to stress-test HTTP errors, general connection issues, timeouts, and more.
- ACME Automation, to make renewal as easy as possible. After all, continuity of service is vital for maintaining the trust of your own customer base; removing the possibility of human error from the process of recertification is thus invaluable. ZeroSSL has partnered with every major ACME integration, ensure that absolutely everyone can be catered to. Find their list of ACME partners and clients here.
Getting started with ZeroSSL
True to form for any Apilayer product, signing up with ZeroSSL is dead-simple and stress-free. Just navigate to their home page, and click Get Free SSL at the top-right corner of the page, then fill out your basic credentials. Once you’ve done this, you’re in!
By default, you’ll create your account under the Free plan, which offers fully functional 90-day certificates complete free of charge or obligation. They won’t even ask you to put a credit card on file “just in case” you forget to cancel a free trial or cave to high-pressure sales emails. Considering ZeroSSL’s offering is all about engendering consumer trust, it’s awesome that they practice what they preach through and through–you won’t find any predatory business tactics here.
Your ZeroSSL Dashboard
Whether you’re a front-end user or a developer using the API, your Dashboard will serve as your portal to everything you need to manage your SSL certificates. The first time you log on, you’ll be greeted with a friendly “Welcome to your dashboard” message, which directs your attention to the informative page below. Here you’ll find:
- Expiring Soon – Clicking this link allows you to easily see which certificates are due to expire soon. ZeroSSL also lets you create automatic alerts (which typically come after 60 days for your basic 90-day certificate) so that you never miss a renewal.
- Draft – Sometimes you need shelve the certificate you’re building to wait until a project starts. ZeroSSL allows you to save drafts for later, so that when your launch is approaching, your SSL certificate will be ready to hit the ground running with you.
- Issued – Your meat and potatoes, here you can view all of your currently active certificates. You’ll be visiting this page so frequently; it actually has its own sidebar item labelled “Certificates” underneath your main Dashboard link.
- Pending Validation – Regardless of which validation method you’ve used (email, DNS, or file upload; covered below), here you can see all certificates which are awaiting confirmation. Simple!
- Expired – Any certificates no longer in use appear here, rather than just disappearing.
Below this array of tabs, you’ll find three more options:
- Your Subscription – Upgrading or downgrading your account can be done at the click of a button, no questions asked. This is where you’ll manage which tier of service you wish to purchase from ZeroSSL. You also have a quick view of your quota for both 90-day and 1-year certificates.
- Create SSL Certificate – Ready to add powerful security to your next project? Click New Certificate to enter the creation wizard. We’ll cover this in greater depth in a moment
- Developer – If you’re looking to get your hands dirty configuring the integration of ZeroSSL’s API into your application, you can find their comprehensive Documentation Clicking on Developer Section simply brings you to a page where you can view and cycle your API key.
Help Center
Hiding in plain sight at the top-right of the page is an invaluable trove of information you can use to make certificate creation and management a breeze. Don’t confuse this section for the API documentation, which is full of technical data. Instead, the Help Center is full of well-illustrated, plain-language walkthroughs designed to teach you how to:
- Create new certificates
- Renew expiring certificates
- Cancel unneeded certificates
- Verify domains using one of three methods
- Download your existing certificates
What’s more, there are full write-ups on installing your certificate onto a dizzying array of platforms. These include Apache, AWS, BigCommerce, cPanel, App Engine, Heroku, NGINX, Plesk, Tomcat, Ubuntu, and WHM. We won’t cover these here, because frankly, we wouldn’t be able to do a better job than the expert service team at Apilayer. We consider the inclusion of this Help Center to be well above and beyond the call of duty, and we think you will appreciate it, too.
Partner Program
Ever been so wild about a product or service, you just had to share the news with a friend? Now you can channel that enthusiasm straight towards your bottom line with ZeroSSL’s generous affiliate program. Each referral you make that signs up earns you a 25% commission, which you can credit to your account to drop your own monthly costs. Even better: each monthly payment your referees make nets you an additional 25%, so you could potentially have access to the highest service tiers of ZeroSSL for nothing! Most customers will probably just ignore this section, but we recommend you at least keep it in mind next time you’re at a meetup.
Creating a new certificate
We’ve already shown you where you can access the certificate creation wizard, but for quick reference, the path is: Dashboard > New Certificate. Once you’re in, you’ll go through five easy steps to create your new SSL certificate.
- Domains – First, you’ll be prompted to define the type of domain(s) you’ll be certifying. You’ll see that wildcard certificates (for protecting all your subdomains) and multiple domains are gated off behind paid tiers, and thus labeled PRO. If you’re just dipping your toes in with a Free subscription, ignore these for now, and enter your domain name, then click the Next Step.
- Validity – Next, you’ll specify how long your certificate will be good for, and choose either 90 days or 1 year. Note once again that the year-long certificate is reserved for paying customers only.
- CSR & Contact – By default, Auto-Generate CSR is toggled on, which is a fancy way of saying that ZeroSSL will handle the credentialing for the Certificate Signing Request for you automatically. Toggle this option off to reveal the necessary fields including email address, organization name, department, city, state, and country; plus, an extra toggle that allows you to bypass the tedium of typing text into multiple fields and just paste it in.
- Finalize Your Order – Here we arrive at the final step, where you can choose which subscription tier your soon-to-be created SSL certificate will fit into. (If you’ve already got a subscription, you won’t have to make this decision each time, so don’t worry!)
Verifying domain ownership
With the creation wizard complete, you’ll need to prove that you actually own the domain you’re seeking to protect. There are three primary methods to do so:
- Email verification – The simplest, most universal method of verification. You’ll find a dropdown of possible admin emails to choose from, then just hit Next Step to send it out. But what if your email isn’t listed, or your platform doesn’t have the option of email verification? Read on…
- DNS via CNAME – You can create and use a CNAME record to handle SSL verification. Simply sign into your DNS provider to manage your records, then add the Name, Point To, and desired TTL information presented by ZeroSSL, then finalize with Next Step.
- HTTP(S) File Upload – If the above two options aren’t for you, ZeroSSL allows you to download the Auth File for your certificate directly. Simply upload it to your HTTP server into the provided directory, then double check that the upload succeeded. Hit Next Step when you’ve done this.
After choosing one of the above three methods, ZeroSSL will present an overview of your domain and chosen method, then politely await your verification. Once you’ve done your part, click Verify Domain to finalize the process. Then, you’ll be able to view your new SSL certificate under the aptly named Certificates menu in the left-hand sidebar. Simple!
The ZeroSSL API
In our opinion, APIs live and die in large part by their documentation, and ZeroSSL once again delivers in spades. The first page you land on gives you an overview on how to use your access key and make basic requests via the ZeroSSL API base URL, then introduces the 10 methods it supports:
- Create Certificate – Create a new certificate with a POST request to the certificates There are three supported request parameters where you specify one or more domains you want to protect, how long the certificate will be good for (90 days or 1 year), plus CSR value. If you need to create a CSR, ZeroSSL has provided a link to csrgenerator.com.
- Verify Domains – With this method, you can handle verification of your new certificate through any of ZeroSSL’s three (well, actually four) verification methods. Set the validation_method parameter to EMAIL, CNAME_CSR_HASH, HTTP_CSR_HASH, or HTTPS_CSR_HASH as desired. Succeed or fail, your response will look something like this to provide a wealth of metadata on the request:
{
"success": false,
"error": {
"code": 0,
"type": "domain_control_validation_failed",
"details": {
"domain.com": {
"domain.com": {
"cname_found": 0,
"record_correct": 0,
"target_host": "_2B449B729284AA7CB56014584F261FBF",
"target_record": "A1063BBA157D.686A709A3.4BAD7A.CA.COM",
"actual_record": ""
},
"www.domain.com": {
"cname_found": 0,
"record_correct": 0,
"target_host": "_2B449B729284AA7CB56014584F261FBF",
"target_record": "A1063BBA157D.686A709A3.4BAD7A.CA.COM",
"actual_record": ""
}
}
}
}
}
- Download Certificate (.zip) – Append the /download endpoint to your request URL to download your SSL certificate in a ZIP file.
- Download Certificate (inline) – Alternatively, you can request a certificate download as a JSON object using the /download and /return
- Get Certificate – This method makes an HTTP GET request to retrieve information on a certificate according to its certificate hash. Here’s an example ZeroSSL gives in their documentation of what that might look like:
{
"id": "a856a39a1c3ad0s8asa606g37667d221",
"type": "1",
"common_name": "domain.com",
"additional_domains": "www.domain.com",
"created": "2020-04-29 09:04:19",
"expires": "2020-07-28 00:00:00",
"status": "draft",
"validation_type": null,
"validation_emails": null,
"replacement_for": "",
"validation": {
"email_validation": {
"domain.com": [
"admin@domain.com",
"administrator@domain.com",
"hostmaster@domain.com",
"postmaster@domain.com",
"webmaster@domain.com"
]
},
"other_methods": {
"domain.com": {
"file_validation_url_http": "https://domain.com/.well-known/pki-validation/2449B.txt",
"file_validation_url_https": "https://domain.com/.well-known/pki-validation/2449B.txt",
"file_validation_content": [
"2B449B722B449B729394793947",
"comodoca.com",
"4bad7360c7076ba"
],
"cname_validation_p1": "2B449B7293947.domain.com",
"cname_validation_p2": "2B449B7293947.23DD7293947.11DD7293941.ca.com"
},
"www.domain.com": {
"file_validation_url_http": "https://www.domain.com/.well-known/pki-validation/2449B.txt",
"file_validation_url_https": "https://www.domain.com/.well-known/pki-validation/2449B.txt",
"file_validation_content": [
"2B449B722B449B729394793947",
"comodoca.com",
"4bad7360c7076ba"
],
"cname_validation_p1": "2B449B7293947.www.domain.com",
"cname_validation_p2": "2B449B7293947.23DD7293947.11DD7293941.ca.com"
}
}
}
}
- List Certificate – If you’ve got multiple certificates running and you want to see all or a selection of them, use this method. There are a variety of parameters to help you narrow down your query.
- Get Verification Status – While there are three verification methods available via ZeroSSL, this method only reports the status of email verification. Even still, it’s a useful reminder when you need to give the right person a nudge to check their email and complete the validation check.
- Resend Verification Email – Something go awry with an email verification? You can easily resend the verification email with this aptly named method. Upon completion, you’ll receive a simple success/fail message to help you narrow down where the problem might be.
- Cancel Certificate – Any certificates in the draft or pending_validation stage can be canceled by making a get request with the endpoints /certificates/{id}/cancel. Once completed, the ZeroSSL API will return a simple success/fail message to let you know where you stand.
- Delete Certificate – Canceling a certificate does just that; if you need it gone for good, make an HTTP DELETE request using /certificates/{id} as your endpoint. Once again, ZeroSSL has its API acknowledge completion of your request with a simple success/fail message.
In addition to the above methods, ZeroSSL’s API documentation includes a comprehensive archive of every error code its methods may return. We won’t go into depth here, as this page is purely referential, but it can be a vital troubleshooting tool when you need it.
How does it perform?
ZeroSSL’s niche of providing user-friendly SSL certification solutions at an affordable price might, at first glance, seem wide open to competition. However, Apilayer did a pretty great job at identifying a market niche. As such, ZeroSSL is easily best in the class it created.
Of course, being the only guy in the room isn’t enough; Apilayer has generously provisioned ZeroSSL with incredible cloud-based infrastructure, which allows it to scale to any customer need. While its API methods are all fairly lightweight, effective design ensures that your requests are handled almost instantly. What’s more, you can count on 99.9% uptime, so ZeroSSL is always at the ready to satisfy your requirements without a hiccup.
We’ve already touched up the user experience, but allow us to sing its praises here: ZeroSSL is far more generous than it has to be in terms of overall product design. It features an extensive API documentation, plus lushly illustrated how-to’s written in plain language on basically anything and everything you could want out of ZeroSSL’s web app, concierge service, or API.
What about compatibility? ZeroSSL certificates are supported by every web browser out there, and the vast majority of servers and platforms. Got a preferred programming language in which you’d like to handle your API integrations? ZeroSSL supports every relevant programming language, as well. Clearly, Apilayer wants you to use their product, and has gone to every length to ensure it is easy to do so.
So, does it all hold water? ZeroSSL’s 500,000+ customers certainly seem to think so! Their expansive list of clientele includes everyone from sole proprietors and startups to some of the world’s most recognizable enterprises, including:
- Slack
- Microsoft
- Lenovo
- Uber
- Okta
- Shopify
- SalesForce
We’ve said before that SSL certificates are all about trust, and it’s clear that ZeroSSL has established itself as a trusted industry brand. Moreover, ZeroSSL stands out as distinct against traditional certificate authorities such as Let’s Encryption due to its SSL management console, API, monitoring, and… well, just about every other reason besides (and in addition to) just issuing certificates!
What’s more, it exists alongside a plethora of other API micro-solutions which comprise Apilayer’s total product ecosystem, altogether serving millions of customers worldwide. If that’s not proof enough of a successful product, there’s not much more that will convince you besides simply trying it out for free!
Pricing
There are five tiers of service available to ZeroSSL customers, each available at a monthly subscription. (Alternatively, if you’d like to save 20%, you can sign up for yearly payments.) Here, we’ll briefly run down the various features included at each price point:
- Free – $0/month – This is the introductory tier, and it offers fully-fledged SSL certificates for virtually any basic application. Without paying a dime, you can net up to three 90-day certificates. You can make use of ZeroSSL’s myriad ACME partnerships to automate the recertification process completely free of charge, as well.
- Basic – $10/month – For a nominal monthly payment, you completely lift any restrictions on how many 90-day certificates you can create with ZeroSSL. What’s more, you get the added convenience of three 1-year certificates, plus multi-domain certificates. This is the tier where the REST API becomes fully accessible as well, along with Apilayer’s world-class technical support.
- Premium – $50 – ZeroSSL’s most popular tier enables up to ten 1-year certificates, multi-domain certificates, unlimited 90-day and a single 1-year wildcards for your subdomains, full API access and tech support, plus unlimited standard 90-day certificates. This is essentially the entire kitchen sink at an affordable price.
- Business – $100 – Billed as the “all-inclusive” package, there aren’t actually any features unique to this tier over the Premium tier. The difference is in quantity, so if you’re looking to aggressively scale, this is the package for you: infinite 90-day certificates, 25 1-year certificates, multi-domain support, up to three 1-year wildcards and unlimited 90-day wildcards, full API access and support.
- Enterprise – The largest tier just blows the roof right off, and allows you to get in touch with ZeroSSL sales to define your needs and customize solutions to meet them. Enterprise customers can make use of Apilayer’s considerable pool of engineering talent to create robust, automated solutions for any number and/or type of platform out there.
Verdict and parting words
At this point, it should be no secret that we’re enamored with ZeroSSL. There simply isn’t another easily accessible solution like it–with affordable prices, amazing support, robust infrastructure, a convenient web app and API, every ACME integration under the sun, and so much more. But most importantly, ZeroSSL is a certificate authority you can trust, and Apilayer has clearly made transparency a vital consideration.
Do we have any criticisms? Actually yes: their site links to a Github repo for a ZeroSSL certbot, but there doesn’t seem to be anything there. We’re assuming this is a placeholder for a future rollout, but honestly there’s so much else under the hood of ZeroSSL that this strangely visible omission is hardly a dealbreaker.
If you’re looking for an SSL certification solution that just works, ZeroSSL isn’t the only option out there. However, if you want an entire suite of features to ensure that your certificate renewals stay current and operational, you will be hard-pressed to find a product more thoroughly equipped to help you monitor and control the process than ZeroSSL.
In short, We give ZeroSSL the highest recommendation without question.
