>>Hi,
>>
>>I have been reading many pages about installing SSL certificate. A customer requested that I enabled SSL on my web application they use. My understanding, from reading all these pages, is that SSL certificate has to be PURCHASED; it is not just there on the web server to be enabled. Am I correct?
>
>Partly.
>
>There are 2 main types of SSL certs: trusted 3rd party, and self-signed. Some differences are explained at https://en.wikipedia.org/wiki/Self-signed_certificate .
>
>If your web server is IIS, it's probably running on Windows Server, which can (and does) generate (free) self-signed certs. You can assign one of them to a website. However, visitors to your site will get a security warning in their browser unless they manually install (and trust) the cert on their machines. This is enough of a support (and potential security) hassle that unless your site only has a handful of users who are knowledgeable, it's less expensive to get a trusted 3rd-party cert.
>
>The main advantage of trusted 3rd-party certs is that they're issued by trusted certificate authorities (CAs). These CAs are already trusted by major web browsers so if a cert is signed by one of these CAs it's automatically trusted by browsers, and users don't get any security warnings.
>
>It used to be that 3rd-party certs had to be purchased, and were not cheap. You can still purchase them from various CAs, and the prices have come down significantly in recent years. This is largely due to the presence in the market of Let's Encrypt (LE) https://letsencrypt.org/ , which is a free trusted 3rd party cert provider. LE is backed by some of the biggest names on the internet, they're for real and have issued millions of certs.
>
>Years ago, it was possible to purchase certs that were valid for up to 5 years (maybe more, that's the longest I remember encountering). For several reasons it's not ideal to have certs with validity terms that long. As of September 1, 2020 an SSL cert's maximum period of validity is 398 days. This will probably decrease in the future.
>
>LE is forward-looking; its certs, although free, are valid for only 90 days and they recommend renewing them every 60 days. This would be a maintenance nightmare except that LE certs are designed for automation. If a so-called ACME client is installed on a given web server, it can be scheduled to automatically renew LE certs every 60 days.
>
>In the Linux world this is mature and CertBot is a widely used ACME client. Windows support for ACME is not as broad but some clients do exist.
>
>If you're using a Windows server and you're not comfortable using LE and setting up an ACME client, you can purchase a low-cost cert from a CA. Years ago I used the likes of GoDaddy but these days they're very expensive for what they provide. The last couple of certs I've purchased have been from NameCheap, specifically https://www.namecheap.com/security/ssl-certificates/comodo/positivessl/ for single domains. These start at less than $10 per year.
>
>You can purchase a cert for a term up to 5 years, but be aware that once a year (recommended as it's a bit less than 398 days) you'll need to go through the cert generation and installation process. The CA won't charge you anything extra for cert renewals during the term you purchase.

Al,
Thank you very much for this message. I will save it!