Let’s Encrypt makes it possible for any website owner to painlessly obtain a free, valid SSL:

letsencrypt certonly --standalone -d example.com -d www.example.com

It’s relatively easy to understand how it works. The agent generates a key-pair, sends the public key to Let’s Encrypt CA and then proves it owns the private key. Let’s Encrypt CA then verifies the agent owns the domain by asking the agent to put specific content at a certain location.

Now the agent has an authorized key-pair. Requesting, renewing and revoking certificates are simple because Let’s Encrypt CA can use the key-pair as authentication.

The certificate is valid for 3 months so the website owner needs to renew it at least every 3 months.