Get Free Let's Encrypt SSL Certificates!

ERROR: Oops, There seems to be an error with `WebCryptoAPI's crypto.subtle.digest())`. Please access this website over HTTPS or Please upgrade to a Modern Web Browser.

This website will take you through Manual Steps so that you can get your own https certificates for your website.

NOTE: This website is designed for people who know what they are doing and just want to get their free https certificate. If you're not familiar with how to do this, please use the official Let's Encrypt official client that can automatically issue and install https certificates for you.

If you need to renew a certificate, simply complete these steps below again.

Step 1: Account Info

Let's Encrypt requires that you register an account email and public key before issuing a certificate. The email is so that they can contact you if needed, and the public key is so you can securely sign your requests to issue/revoke/renew your certificates. Keep your account private key secret! Anyone who has it can impersonate you when making requests to Let's Encrypt!

Account Email:

Need help generating this?

Here's how to generate a new account keypair using openssl. Paste these commands in your Terminal.

Generate an account private key if you don't have one:
(KEEP ACCOUNT.KEY SECRET!)
openssl genrsa 4096 > account.key
Print your public key:
openssl rsa -in account.key -pubout
Copy and paste the public key into the box below.

Account Public Key:

Step 2: Certificate Signing Request

This is the certificate signing request (CSR) that you send to Let's Encrypt in order to issue you a signed certificate. It contains the website domains you want to issue certs for and the public key of your TLS private key. Keep your TLS private key secret! Anyone who has it can man-in-the-middle your website!

(how do I generate this?)

How to generate a new Certificate Signing Request (CSR):

Generate a TLS private key if you don't have one:
(KEEP DOMAIN.KEY SECRET!)
openssl genrsa 4096 > domain.key

Use your Hosting Control Panel to Generate CSR

Generate a CSR for your the domains you want certs for:
(replace "foo.com" with your domain)
Linux:

    #change "/etc/ssl/openssl.cnf" as needed:
    #  Debian: /etc/ssl/openssl.cnf
    #  RHEL and CentOS: /etc/pki/tls/openssl.cnf
    #  Mac OSX: /System/Library/OpenSSL/openssl.cnf

    openssl req -new -sha256 -key domain.key -subj "/" \
      -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
      <(printf "\n[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))

Copy and paste the CSR into the box below.

Certificate Signing Request:

Step 3: Sign API Requests (waiting...to complete previous step.)

Let's Encrypt requires that you sign all of your requests to them with your account private key. Below are the requests that you will need to sign. The commands to do this are generated below so you can copy-and-paste them into your terminal. Be sure to change the account private key location so it points to your real private key.

(how do I do this?)

This command asks to register your account key (or look it up if you have already registered) and accepts the terms and conditions for Let's Encrypt.

How to generate this signature:

Copy and paste the command below into your terminal (if your account private key isn't at "./account.key", change "./account.key" in the command to wherever it exists).
Copy and paste the hex encoded signature output from the command into the text field below that command.

Use copy and paste command in Terminal to accept the Let's Encrypt terms and conditions:

(how do I do this?)

This command sets your account contact email to what you put in Step 1. If you had already set this email when you ran these commands previously, this command will simply set the same email again.

How to generate this signature:

Copy and paste the command below into your terminal (if your account private key isn't at "./account.key", change "./account.key" in the command to wherever it exists).
Copy and paste the hex encoded signature output from the command into the text field below that command.

Update your account email (foo@foo.com):

(how do I do this?)

This command creates an order for the domains you included in your certificate signing request (CSR) in Step 2.

How to generate this signature:

Copy and paste the command below into your terminal (if your account private key isn't at "./account.key", change "./account.key" in the command to wherever it exists).
Copy and paste the hex encoded signature output from the command into the text field below that command.

Create your certificate order:

Step 4: Verify Ownership (waiting...to complete previous step.)

Step 5: Install Certificate (waiting...to complete previous step.)

Congratulations! Let's Encrypt has issued you a certificate for your domains! Below is the signed certificate you can use for your website. Please Note: The first certificate is your domain certificate and Second Certificate is your Certificate Chain.

(how do I install this?)

Nginx installation instructions:

Copy and paste the below certificates (the text contains both your domain certificate and intermediate certificate) into a text file called "chained.pem".
If not done already, generate non-default dhparams.
openssl dhparam -out dhparam.pem 4096

Copy "chained.pem" and "dhparam.pem" to /etc/ssl/certs/.

scp chained.pem root@foo.com:/etc/ssl/certs/chained.pem
scp dhparam.pem root@foo.com:/etc/ssl/certs/dhparam.pem

Copy "domain.key" /etc/ssl/private/.
scp domain.key root@foo.com:/etc/ssl/private/domain.key

Update your webserver config to use https (examples below).

server {
    listen 443;
    server_name foo.com;
    ssl on;
    ssl_certificate /etc/ssl/certs/chained.pem;
    ssl_certificate_key /etc/ssl/private/domain.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache shared:SSL:50m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_prefer_server_ciphers on;

    location / {
        return 200 'Hello world!';
        add_header Content-Type text/plain;
    }
}

Apache installation instructions:

Copy and paste the first certificate section (e.g. the first "-----BEGIN CERTIFICATE-----" section) into a text file named "domain.crt".
Copy and paste the second certificate section (e.g. the second "-----BEGIN CERTIFICATE-----" section) into a text file named "intermediate.pem".

Copy "domain.crt" and "intermediate.pem" to /etc/ssl/certs/.

scp domain.crt root@foo.com:/etc/ssl/certs/domain.crt
scp intermediate.pem root@foo.com:/etc/ssl/certs/intermediate.pem

Copy "domain.key" /etc/ssl/private/.
scp domain.key root@foo.com:/etc/ssl/private/domain.key

Update your webserver config to use https (examples below).

<VirtualHost _default_:443>
        ServerName foo.com:443
        ServerAlias www.foo.com
        DocumentRoot /var/www/foo.com/html
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/domain.crt
        SSLCertificateKeyFile /etc/ssl/private/domain.key
        SSLCertificateChainFile /etc/ssl/certs/intermediate.pem
        SSLProtocol TLSv1.2
        SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        SSLHonorCipherOrder on
        <Directory /var/www/foo.com/html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

Signed Certificate Chain:

Get Free Let's Encrypt SSL Certificates!

ERROR: Oops, There seems to be an error with WebCryptoAPI's crypto.subtle.digest()). Please access this website over HTTPS or Please upgrade to a Modern Web Browser.

Step 1: Account Info

Step 2: Certificate Signing Request

Step 3: Sign API Requests (waiting...to complete previous step.)

Step 4: Verify Ownership (waiting...to complete previous step.)

Step 5: Install Certificate (waiting...to complete previous step.)

ERROR: Oops, There seems to be an error with `WebCryptoAPI's crypto.subtle.digest())`. Please access this website over HTTPS or Please upgrade to a Modern Web Browser.