EV SSL From Your .p12 Instant & Free

No more paying for expensive EV SSL certs. Your government-issued p12 and a free Let's Encrypt cert cryptographically prove which organization controls your domain.

Decentralized Trust

Simple, secure, and free organization validation using assets you already own.

Your Company
P12 Cert

Free Let's Encrypt DV Cert

Verifiably Owned
Domain

Leverage Your Official Identity

You already have a government-issued p12 from registering your company. We provide the tools to use it to secure your domain's identity, creating a direct cryptographic link.

How it Works

1Get a free DV cert (e.g. Let's Encrypt).

2Sign its key with your company p12.

3Host the resulting `sig.json` file.

Dramatically Cheaper

Why pay hundreds for an OV certificate when you can achieve a similar level of cryptographic proof for free?

Transparent & Verifiable

Our method is transparent. Any user or service can fetch your certificate and signature file to mathematically verify the link between your domain and your registered organization.

See It In Action

A simple process for site owners, and a transparent verification method for users.

One-Command Setup

Our command-line tool handles everything: finding your Let's Encrypt certificate, signing its public key with your company's p12, and creating the `sig.json` file for you.

# Run this on your server
$ 1cert-cli sign \
    --p12-path /path/to/your-company.p12 \
    --domain yoursite.com
    
✔ Successfully created .well-known/sig.json

Instant Visual Verification

When a visitor clicks a verification badge in your site's navigation or footer, a popup instantly queries our service to perform a live check, confirming your organization's identity in real-time.

Example Flow:

Visitor clicks the verification badge on your site.

Verified by 1cert

A verification window opens, showing the result:

Verification Successful

Domain: yoursite.com

Organization: Your Official Company Name, Inc.

The `sig.json` Explained

This simple, public file contains everything needed for verification. It's hosted at `/.well-known/sig.json` on your domain.

{
  
  // Public key from the government-issued p12
  "govPublicKey": "...",

  // The signature, proving the holder of the gov key
  // vouches for the domain key.
  "signature": "..." 
                                
 // Metadata like timestamps and other additional info
  "metadata": "...", 
                                
}

Frequently Asked Questions

No, not directly. This is the main trade-off. Browsers will show a standard padlock for a Domain Validated (DV) certificate. This method provides *verifiable proof* for users and automated services that choose to check, but it doesn't change the browser's native UI.

In many countries, when you register a business, you're issued a digital certificate (often a .p12 or .pfx file) that acts as your company's official digital identity. This is used for filing taxes, signing documents, etc. This is the key we help you leverage.

Anyone can write a name on a website. This method provides cryptographic proof that the legal entity holding the government certificate also controls the domain's encryption keys. It's a mathematical link that cannot be forged, not just a claim.

You simply re-run the `1cert-cli sign` command. Our tool can be integrated into your existing ACME client's (e.g., certbot's) renewal hooks to automate this process, ensuring your `sig.json` is always up to date.

The new owner will NOT be able to reuse the `sig.json` file you were using, even though it was public, because it binds to the public part of the DV SSL cert. Since his DV cert will be different, he will have to create a new `sig.json` for his domain with his p12, meaning he won't be able to impersonate your organization