Do I have to pay a web hosting company for an SSL certificate?

SSL certificates need to be installed in the server config, so for "typical web hosting" your hosting provider can easily restrict your ability to add your own certs (and even generating these without their support can be frustrating.)

You should ask your provider if they can enable a free LetsEncrypt cert for you (they can be free and there are standardised systems to automate this,) and if not shift to a provider that is not cynically trying to extort money for what is now considered a standard best practice.

Some hosting companies require that you pay them for their SSL certificates. It is not always possible to install a certificate from a third party.

That being said, such a host is rare. Most hosting companies use cPanel or WHM to manage sites which support importing any certificate you want. The majority of web hosting companies will automatically get free SSL certificates from LetsEncrypt for you and keep them updated every couple months.

If your web host doesn't offer free certificates or allow you to import a certificate you can:

• Complain to their customer support
• Write a bad review of their hosting services
• Move your website to hosting company that will allow you to import certificates

Depending on your use case, one quick way of making a site SSL enabled would be to put it behind Cloudflare and use one of their free certificates. If you can get your web host to install a certificate they also provide free origin certificates, but even if your webhost only supports their own certificates this set up would get you SSL between the browser and Cloudflare - which wouldn't be acceptable for anything requiring an "end-to-end" encrypted connection but might suit your use case.

Disclaimer - I have no affiliation with Cloudflare other than being a customer of theirs.