Trust of to generate private keys


Two older threads asked if it was secure to use it:

On both, the advice was to prefer (who doesn’t generate private keys) but without details.
One suggested (who also generate private keys)

As a general advice, it’s better to generate your private key and csr offline.

If you must generate it online you have to trust the service.

I see some red flags about sslforfree:

And, from a security point of view:

So I would not recommend that website to generate your private key.

Although it should be safe to use to generate a certificate if you already have a CSR (See #2)

Beware, that service also may ask for your ftp password:

Site note: Let’s Encrypt apparently decided to stop listing browser based clients on :

To compare with :


This isn’t really safe either. Due to the fact that authorizations are re-usable (currently for 30 days), it opens the opportunity for to just silently* issue an identical certificate under an alternate private key. This is because they control the ACME account key at all times.

(* mitigated by CT logs but most users are not savvy to that)


Thanks for pointing that out, corrected!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.