Two older threads asked if it was secure to use it:
As a general advice, it’s better to generate your private key and csr offline.
If you must generate it online you have to trust the service.
I see some red flags about sslforfree:
- there is no information on who is running that website on the webpage and the only contact link is an anonymous email ( email@example.com )
- the whois is anonymized
- the commit to add it on the https://letsencrypt.org/docs/client-options/ webpage, https://github.com/letsencrypt/website/commit/8b2540bbdc04ee9f1503e31a3785d4e28f240616 doesn’t seams to be done by them and the PR behind it is private or deleted: https://github.com/letsencrypt/website/pull/127
- the only clue I found was in https://news.ycombinator.com/item?id=10741148 where the user etrackr seams to be the author of that website
And, from a security point of view:
- HSTS: No HSTS ( so no HSTS preload https://hstspreload.org/?domain=sslforfree.com )
- Headers: No Content-Security-Policy, X-XSS-Protection, X-Content-Type-Options: https://observatory.mozilla.org/analyze/www.sslforfree.com / https://securityheaders.com/?followRedirects=on&hide=on&q=www.sslforfree.com
- Bad https configuration: https://www.ssllabs.com/ssltest/analyze?d=www.sslforfree.com
So I would not recommend that website to generate your private key.
Although it should be safe to use to generate a certificate if you already have a CSR (See #2)
Beware, that service also may ask for your ftp password:
To compare with https://zerossl.com/free-ssl/#crt :
- Contact info are accessible: https://zerossl.com/about.html
- HSTS and preloaded: https://hstspreload.org/?domain=zerossl.com
- Most security headers (sadly, no CSP nor SRI) : https://observatory.mozilla.org/analyze/zerossl.com
- Robust https configuration: https://observatory.mozilla.org/analyze/zerossl.com#tab-third-party-tests