Get HTTPS for free!

You can now get free https certificates from the non-profit certificate authority Let's Encrypt! This is a website that will take you through the manual steps to get your free https certificate so you can make your own website use https! NEVER asks for your private keys. Never trust a website that asks for your private keys!

NOTE: This website is for people who know how to generate certificate signing requests (CSRs)! If you're not familiar with how to do this, please use the official Let's Encrypt client that can automatically issue and install https certificates for you. This website is designed for people who know what they are doing and just want to get their free https certificate.

Step 1: Account Info

Let's Encrypt requires that you register an account email and public key before issuing a certificate. The email is so that they can contact you if needed, and the public key is so you can securely sign your requests to issue/revoke/renew your certificates. Keep your account private key secret! Anyone who has it can impersonate you when making requests to Let's Encrypt!

(how do I generate this?)

How to generate a new account keypair using openssl:

Generate an account private key if you don't have one:
(KEEP ACCOUNT.KEY SECRET!)
openssl genrsa 4096 > account.key
Print your public key:
openssl rsa -in account.key -pubout
Copy and paste the public key into the box below.

Account Public Key:

Step 2: Certificate Signing Request

This is the certificate signing request (CSR) that you send to Let's Encrypt in order to issue you a signed certificate. It contains the website domains you want to issue certs for and the public key of your TLS private key. Keep your TLS private key secret! Anyone who has it can man-in-the-middle your website!

(how do I generate this?)

How to generate a new Certificate Signing Request (CSR):

Generate a TLS private key if you don't have one:
(KEEP DOMAIN.KEY SECRET!)
openssl genrsa 4096 > domain.key

Generate a CSR for your the domains you want certs for:
(replace "foo.com" with your domain)
Linux:

#change "/etc/ssl/openssl.cnf" as needed:
#  Debian: /etc/ssl/openssl.cnf
#  RHEL and CentOS: /etc/pki/tls/openssl.cnf
#  Mac OSX: /System/Library/OpenSSL/openssl.cnf

openssl req -new -sha256 -key domain.key -subj "/" \
  -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
  <(printf "[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))

Copy and paste the CSR into the box below.

Certificate Signing Request:

Step 3: Sign API Requests (waiting...)

Let's Encrypt requires that you sign all of your requests to them with your account private key. Below are the requests that you will need to sign. The commands to do this are generated below so you can copy-and-paste them into your terminal. Be sure to change the account private key location so it points to your real private key.

(how do I do this?)

How to generate the needed signatures:

Copy and paste each command below into your terminal (if your account private key isn't at "./account.key", change "./account.key" in the command to wherever it exists).
Copy and paste the hex encoded signature output from the command into the text field below that command.

Run these signature commands in your terminal:

Step 4: Verify Ownership (waiting...)

Let's Encrypt requires you prove you own the domains you have in your CSR. You can do this by serving a specific file at a specific url under your domains. Below are the files you need to serve along with some copy-and-paste commands you can run on your website to start serving the file. Once you are serving the file on your website, click "I'm now running this on...". After that, you need to tell Let's Encrypt to check the above files to verify ownership of your domains. This request needs to be signed with your account private key. Below are the verification requests that you will need to sign. The commands to do this are generated below so you can copy-and-paste them into your terminal. Be sure to change the account private key location so it points to your real private key.

Domain: foobar.com

(how do I do this?)

How to generate the needed signatures:

Navigate in the terminal to the directory with account private key ("account.key" or whatever you named it).
Copy and paste each command below into your terminal (if your account private key isn't named "account.key", change "account.key" in the command to whatever you named it).
Copy and paste the hex encoded signature output from the command into the text field below that command.

Run this signature command in your terminal:

Option 1 - python server Option 2 - file-based

(how do I do this?)

How to serve the challenge response on your domain:

SSH into your domain as someone with sudo permissions:
ssh ubuntu@foobar.com
Stop any webserver running on port 80, if any. If you had previously been running another python command, you can kill it with Ctrl+C):
sudo service nginx stop <-- example for nginx
sudo apachectl -k graceful-stop <-- example for apache
Copy and paste the python command below into your terminal. This command starts a temporary webserver that serves nothing but the challenge response. You only need to keep this running briefly.
Open the link in a new window to make sure it's working:
Click "I'm now running this command..." button when the file is being served on your domain.

Run this command on foobar.com's server:

(how do I do this?)

How to host this file on your server:

SSH into your domain as someone with write access to your static web directory:
```
ssh ubuntu@foobar.com
```
Create the ".well-known/acme-challenge/" directory in your webserver's static file path:
```
mkdir -p /path/to/www/.well-known/acme-challenge/
```
Add the static folder to your webserver's config (if you haven't already):
```
server {...
```
Create the file with the necessary contents:
```
echo ...
```
Open the link in a new window to make sure it's working:
Click "I'm now serving this file..." button when the file is being served on your domain.

Under this url:

Serve this content:

Step 5: Install Certificate (waiting...)

Congratulations! Let's Encrypt has issued you a certificate for your domains! Below is the signed certificate you can use for your website.

(how do I install this?)

Nginx installation instructions:

Copy and paste both the below domain certificate and the below intermediate certificate into the same text file called "chained.pem".
If not done already, generate non-default dhparams.
openssl dhparam -out dhparam.pem 4096

Copy "chained.pem" and "dhparam.pem" to /etc/ssl/certs/.

scp chained.pem root@foo.com:/etc/ssl/certs/chained.pem
scp dhparam.pem root@foo.com:/etc/ssl/certs/dhparam.pem

Copy "domain.key" /etc/ssl/private/.
scp domain.key root@foo.com:/etc/ssl/private/domain.key

Update your webserver config to use https (examples below).

server {
    listen 443;
    server_name foo.com;
    ssl on;
    ssl_certificate /etc/ssl/certs/chained.pem;
    ssl_certificate_key /etc/ssl/private/domain.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
    ssl_session_cache shared:SSL:50m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_prefer_server_ciphers on;

    location / {
        return 200 'Hello world!';
        add_header Content-Type text/plain;
    }
}

Apache installation instructions:

Copy and paste the below domain certificate into file "domain.crt".
Copy and paste the below intermediate certificate into file "intermediate.pem".

Copy "domain.crt" and "intermediate.pem" to /etc/ssl/certs/.

scp domain.crt root@foo.com:/etc/ssl/certs/domain.crt
scp intermediate.pem root@foo.com:/etc/ssl/certs/intermediate.pem

Copy "domain.key" /etc/ssl/private/.
scp domain.key root@foo.com:/etc/ssl/private/domain.key

Update your webserver config to use https (examples below).

<VirtualHost _default_:443>
        ServerName foo.com:443
        ServerAlias www.foo.com
        DocumentRoot /var/www/foo.com/html
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/domain.crt
        SSLCertificateKeyFile /etc/ssl/private/domain.key
        SSLCertificateChainFile /etc/ssl/certs/intermediate.pem
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
        SSLHonorCipherOrder on
        <Directory /var/www/foo.com/html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

Signed Certificate:

Intermediate Certificate:

Get HTTPS for free!

ERROR: Your browser is not compatible with this website (this website needs WebCryptoAPI's crypto.subtle.digest()). Please upgrade to a modern browser (Firefox, Chrome, Safari, IE 11+).

Step 1: Account Info

Step 2: Certificate Signing Request

Step 3: Sign API Requests (waiting...)

Step 4: Verify Ownership (waiting...)

Domain: foobar.com

Step 5: Install Certificate (waiting...)