Super Cheap SSL Certs for Your Home Lab or Small Business

I <3 They (and probably others) sell globally recognized $5.99 annual certs. Now, all of my lab stuff (Lync/RD Gateway/NetScaler/SSL VPN) is encrypted, and I no longer have to manually install my Domain CA’s root cert on my phones/other devices. They don’t have an affiliate program, so I’m not getting any money from this blog post. I just want to spread the joy.

Certs can be purchased using Visa or PayPal, and the whole process takes about 5 minutes. And now that you can verify your identity using email, gone are the days of faxing incorporation paperwork to Certificate Authorities. Even the Certificate Signing Request process has been simplified and can be completed online at or the open source

Now to get your own legitimate $5.99 SSL Cert in 12 steps.

Step 1

You can choose different vendors, but I always use Comodo because why not.


Step 2

Select one year (or more if you want), then Add to Cart.


Step 3

Fill in all of your billing info, then select Visa or PayPal. I went for PayPal and then clicked Place Your Order.


Step 4

Next Complete Your Order


Step 5

Almost done! Now your order moves to Incomplete Orders, because you still have to do a few more steps. Click Begin Now to start the process of generating your CSR, verifying your identity, then receiving the SSL certs via email.


Step 6

Next, you’ll be prompted to choose the method to verify your identity. I chose e-mail because the email address associated with my request is the admin email in my domain’s WHOIS. If you choose the File authentication method, you’ll just have to save the file to your domain’s webpage and then they verify it that way.


Step 7

You’ll also be prompted to specify the type of webserver you’re using, and finally you’ll be prompted to paste in your certificate signing request or CSR. You can generate your CSR however you like, be it via IIS, OpenSSL or using a webpage. I chose to do it via the web by clicking their link CSR Generatoring Tool which opens this webpage in a new tab.


Step 8

Once you click Generate Your CSR, you’ll be presented with the text output of your CSR and Private Key. Save each to a file. Certificates (.crt) are useless without their associated private key. Save the private key with a .key extension. Note that if you used IIS to generate your cert request, you don’t have to worry about this part. The private key is already stored in your certificate store.

Copy your CSR to clipboard, then click back on the previous tab you were on.


Step 9

Back to this tab. Paste your CSR, choose your web server, and then leave the default SHA-2 method. Hit Continue


Step 10

Next you’ll be brought to a verification page. Verify your info, agree to the terms and conditions, then click Continue.

Step 11

Now check your email. If you chose to validate via email, you should receive a message from Comodo Security Services with the subject ORDER #nnnnn- Domain Control Validation for yourssldomain.tld. The email will provide a link and validation code. Follow the link, enter your validation code, then check your email again.

Step 12

Open the email with the subject ORDER #nnnnn- Your PositiveSSL Certificate for yourssldomain.tld. Download the zip, extract the contents, and enjoy securing your home lab or small business with your newly minted SSL cert for 6 silly dollars a year.


If you used the online CSR generator, remember when you saved your private key? You’ll need to combine the .crt (or .cer if you named it that) and the .key files into a .pfx file to make it usable. To do this, name the .key file with the same base name as your crt. This is important or it will not work. In the example below, your private key would be named cert.key.


Now open a command prompt, change to the directory that contains your .key and .crt and enter the following: certutil –MergePFX cert.cer cert.pfx

Now your pfx can be imported to any Windows server.


Oh, and if you realize that you entered the wrong hostname, or if the hostname changes, you can regenerate your cert! Just click My Account -> Complete Orders, click on the order number -> scroll down and click Re-Issue Certificate. I’m assuming your old certificate will just be placed in the Certificate Revocation List.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Security
12 comments on “Super Cheap SSL Certs for Your Home Lab or Small Business
  1. josefismael says:

    Great deal for a single-cert, but my lab needs between 8-10 names – Sure wish I could get away with $6 annually :) I do see that SAN certs and wildcard certs are WAY cheaper through this site though. Great find!

    • Chrissy LeMaire says:

      I actually ended up getting the wildcard cert, because I also have a lot of services I want to support. I probably could have stuck with just one if I setup a NetScaler with Content Switching, but I like the idea of having a wildcard.

      I decided to do the NetScaler anyway, and will probably blog about it once I fully understand how it all works.

      Also, and I need to edit the post to reflect this, the cheaper certs are possible because of “Domain Validation”. DV, as opposed to Organization Validation, is considered a lesser validation, but I don’t really care because it’s all for a lab anyway. OV is the one that requires tons of paperwork, and a lengthy response time.

  2. Alen says:

    Hello Chrissy,

    Thank you very much for sharing.
    Can you please clarify, which services cannot work with wildcard and need individual, server certificate?

    I read, that some VPN (e.g. SSTP, IKE v2) require the server to have host certificate, not domain wide.
    You have a brilliant article about SSTP, did you use a wildcard cert for that setup?
    Please clarify.

    Also I saw some messages, where people describe that certificates from some vendors does not contain the whole trust chain, and while IIS works fine (because browsers recover trust chains automatically), VPN does not work. Does Comodo have such issue?

    Thanks in advance,

    • Chrissy LeMaire says:

      Hey Alan,
      The wildcard totally worked for me, as well as the Comodo cert. I can’t recall if I had to import the whole chain to the server, but I didn’t have to do it on the client for sure.


  3. Ed Hotin says:

    Hi Chrissy,

    I must have tried this step a dozen times. You’ll need to combine the .crt and the .key files into a .pfx file to make it usable. And I keep getting this argument:

    PS C:\edshomesite> certutil.exe -MergePFX edshome_site.cert.cer cert.pfx
    CertUtil: -MergePFX command FAILED: 0x80070002 (WIN32: 2)
    CertUtil: The system cannot find the file specified.

    What am I doing wrong?


    • Chrissy LeMaire says:

      hey Ed,
      You have to name them the exact same. So edshome.cer, edshome.key and edshome.pfx. I updated the post to emphasize this. It’s a limitation of the certutil unfortunately :|

  4. Douglas Cohn says:

    Hi Chrissy.

    Great article. I just got my cert file and I was wondering whether we need to import all the chains as well or is that not needed in RRAS certs?

  5. Douglas Cohn says:

    Does anyone know how you import the chain to the server without running IIS. In other words I am only using the for VPN. If the chains are needed do I do that through IIS?

    Also can you explain exactly what certificate I import to the client. Is it the same PFX file and just drop it in the same folder.

    SSTP I am using user logs so no certs are needed on the client side but MACs Unluckily use L2TP only now and must have either a cert or shared secret and I am unsure how to proceed.

    Would appreciate your ideas tremendously.


  6. Hi Chrissy,

    Great article. Generate the certificate on the website without a problem.

    I have a question. I exported the .crt file to a .cer file (Base-64 encoded X.509)in windows. I then ran the certutil on it:

    Certutil.exe -MergePFX .\sbs_museum_org.cer .|sbs_museum_org.pfx

    And got the following error:
    Certutil: -MergePFX command FAILED: 0x8007000d (WIN32: 13)
    Certutil: The data is invalid.

    I have done quite a bit of searching and have not found much on the subject.

    Doug, did you find a solution to your problem?



    • Eric G. says:

      Hi Larry,
      please verify your command I beleive you put a “|” instead of a “\”.

      BTW I have the same error as you do… ERROR (WIN32: 13)


    • Jun says:

      Hi Larry,
      did you get it resolved? I got the exactly problem and I am sure I didn’t use the “|” as a “|”.


  7. David Campbell says:

    Hi Chrissy,
    Fantastically well done.
    Will a 4.99 certificate work for a Site to Site SSTP SSL VPN from a Router to a Windows Server 2012r2 behind a firewall? I have used Site to Site L2TP/IPsec for a decade and a half. This is a first time to set up a NMS and have to connect beyond the firewall. I am following you article that is also excellent called Setup an SSTP SSL VPN in Windows Server 2012 R2. Sorry to be a bother but appreciate of any insight.

Leave a Reply