` reads). %> I don't want to learn what PKI, CA, ACME, EKU stand for, I only want a working certificate for my website | TLS Radar Skip to main content
guides 4 min read By TLS Radar Team

I don't want to learn what PKI, CA, ACME, EKU stand for, I only want a working certificate for my website

Nobody starts a company because they love certificates. You wanted to ship a product. Instead you are three tabs deep in forum arguments about PKI, ACME, EKUs, and a dozen other initials, just to make the little padlock show up in the browser.

This piece is written for you - the person who just wants a working certificate and to get back to building. No background required. In fact, here is the first thing worth saying out loud.

You can safely ignore the acronyms

Search for "how to get an SSL certificate" and you will drown in initials: PKI, CA, ACME, CSR, EKU, BR, OCSP, CT. People argue about them as if your website depends on you learning each one. It does not. Those are the plumbing. You need water from the tap, not a diploma in pipes.

Here is the entire mental model you need: a certificate is a short-lived pass that tells browsers "this really is your website, and the connection is private." It is issued for a limited time, and then it has to be replaced. That is it. Everything else is detail that a good tool should handle so you never think about it.

Why this feels harder than it should

If getting and keeping a certificate feels like it keeps getting more annoying, you are not imagining it. The ground genuinely keeps shifting:

  • Certificates expire faster than they used to. Validity periods keep shrinking, so a "set it and forget it" certificate from last year now needs replacing several times a year.
  • Rules change without asking you. Browser and industry requirements get updated on their own schedule. A certificate that was fine yesterday can be treated differently tomorrow.
  • Certificates can be pulled early. Occasionally a certificate authority has to cancel and reissue certificates, sometimes at short notice, and yours can be caught up in it through no fault of your own.
  • When it breaks, it breaks in public. An expired or broken certificate does not fail quietly on your laptop. It fails on your customers' screens, at the worst possible moment, and you usually hear about it from them first.

None of this is your job to track. It is exactly the kind of thing that should run in the background so you can spend your attention on your actual product.

Get a working certificate, in plain language

You do not need a command line, an ACME client, or a config file full of settings you have to look up. There are two simple ways to get a free, real, publicly-trusted certificate that works in every major browser.

1. On the web: a guided flow, no account needed

TLS Radar's free certificate tool, Beacon, walks you through it step by step. You tell it the domain you own, it gives you one simple thing to add to prove the domain is yours, and it hands you back a free, working certificate. No account, no software to install, no acronyms. Most people are done in under ten minutes.

Need a working certificate right now?

Beacon issues free 90-day Let's Encrypt certificates with a guided DNS-validation flow. No account, no command-line tools, no ACME client to install - just a domain you control. Most people get a working certificate in under 10 minutes.

Get a free certificate from Beacon

2. Inside Claude: just ask for it

If you use Claude, you can add the TLS Radar plugin and ask for a certificate the way you would ask a colleague: "Issue a certificate for my domain." It handles the steps, tells you the one thing to add to prove you own the domain, and - if you are using it in Claude Code - keeps your private key on your own machine. You describe what you want in normal words; the tool does the certificate part.

Add the TLS Radar plugin for Claude and you can issue, renew, and monitor certificates without leaving your chat.

Getting the certificate is the easy part. Keeping it working is the rest.

Here is the trap nobody warns you about: the day you install a certificate, everything looks perfect. The problems show up later, quietly - a renewal that did not run, a change on your CDN or load balancer, a subdomain everyone forgot about, a certificate revoked early by its authority. Each one is invisible until a customer hits a warning.

That is the gap monitoring closes, and it is worth being picky about who does the watching. TLS Radar checks your certificates from the outside, the same way your visitors see them, and it is independent of whoever issued them - not tied to any one certificate provider, cloud, or vendor. So it reports every certificate the same way, has no product of its own to steer you toward, and covers certificates from any source. The promise is simple: the moment something appears on our radar - an approaching expiry, a broken chain, a weak setting, a revoked certificate - you hear about it from us, not from an angry customer.

Stop this from happening again

TLS Radar continuously monitors every certificate across your domains and alerts you weeks before anything expires, and also catches the silent failure modes (chain breaks, weak ciphers, hostname mismatches) that expiry-only monitoring misses. Built for solo developers monitoring a handful of sites and for enterprise teams managing thousands of certificates across multiple environments.

You keep your focus on your product. The certificate keeps working. And if it is ever about to stop, you get told first. Not sure where you stand right now? Scan your domain and see exactly what a browser sees - it takes a few seconds and needs no account.

Get the next post in your inbox

TLS monitoring tips and product updates. No spam, unsubscribe anytime.

Keep reading

Related guides

Comparing tools? See how TLS Radar stacks up against DigiCert and SSL.com.