Cheapest way to get rid of "This site is insecure" HTTPS message

Can you recommend a good, cheap certificate authority?

Most of our customers tend to use GoDaddy for the certificates. I'm not 100% sure if it's the cheapest but it's definitely the most widely used (for us).

Do I need to complete all of those steps above?

Yep.

After you get your certificate, just open a ticket and we'll do the rest.

I realize this is a four-year-old thread, but it's still relevant… I was just searching for the same info. I managed to find an AlphaSSL wildcard SSL certificate from a reseller called ssl2buy.com for US$42. Because of the price I was skeptical, but it has been installed on my WF account and is working fine across all the subdomains and in different browsers (Chrome, Safari, Firefox, Opera). So that's how I got around the browser warning problem. I have no connection to ssl2buy.com or AlphaSSL.

(And you no longer need a dedicated IP address for this.)

Two certificate authorities, StartSSL and WoSign, offer domain-validated TLS certificates without charge to individuals. My own site on WebFaction has a StartSSL certificate. Some other CAs, including GlobalSign and GoDaddy, offer certificates without charge to open-source projects.

The general process is as follows:

1. Make a 2048-bit RSA private key using a tool such as OpenSSL.
2. Generate a CSR (certificate signing request) which contains the corresponding public key.
3. Give that to the CA.
4. Verify control of the domain. (Some CAs, such as StartSSL, may place this step before step 3.)
5. Download the certificate.
6. Open a support ticket with WebFaction to get it installed.
7. Repeat the process a year later.

There's also Let's Encrypt, an automated way to obtain and renew domain-validated TLS certificates which any server administrator can install but which WebFaction has not yet decided to implement.