Get HTTPS for free! Update: Added wildcard certificate support!

You can now get free https certificates (incuding wildcard certificates) from the non-profit certificate authority Let's Encrypt! This is a website that will take you through the manual steps to get your free https certificate so you can make your own website use https! This website is open source and NEVER asks for your private keys. Never trust a website that asks for your private keys!

NOTE: This website is for people who know how to generate certificate signing requests (CSRs)! If you're not familiar with how to do this, please use the official Let's Encrypt official client that can automatically issue and install https certificates for you. This website is designed for people who know what they are doing and just want to get their free https certificate.

If you need to renew a certificate, simply complete these steps below again.

Step 1: Account Info

Let's Encrypt requires that you register an account email and public key before issuing a certificate. The email is so that they can contact you if needed, and the public key is so you can securely sign your requests to issue/revoke/renew your certificates. Keep your account private key secret! Anyone who has it can impersonate you when making requests to Let's Encrypt!

Account Email:

(how do I generate this?)

How to generate a new account keypair using openssl:

Generate an account private key if you don't have one:
(KEEP ACCOUNT.KEY SECRET!)
openssl genrsa 4096 > account.key
Print your public key:
openssl rsa -in account.key -pubout
Copy and paste the public key into the box below.

Account Public Key:

Step 2: Certificate Signing Request

This is the certificate signing request (CSR) that you send to Let's Encrypt in order to issue you a signed certificate. It contains the website domains you want to issue certs for and the public key of your TLS private key. Keep your TLS private key secret! Anyone who has it can man-in-the-middle your website!

(how do I generate this?)

How to generate a new Certificate Signing Request (CSR):

Generate a TLS private key if you don't have one:
(KEEP DOMAIN.KEY SECRET!)
openssl genrsa 4096 > domain.key

Generate a CSR for your the domains you want certs for:
(replace "foo.com" with your domain)
Linux (***Use Bash***):

    #change "/etc/ssl/openssl.cnf" as needed:
    #  Debian: /etc/ssl/openssl.cnf
    #  RHEL and CentOS: /etc/pki/tls/openssl.cnf
    #  Mac OSX: /System/Library/OpenSSL/openssl.cnf

    openssl req -new -sha256 -key domain.key -subj "/" \
      -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
      <(printf "\n[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))

Copy and paste the CSR into the box below.

Certificate Signing Request:

Step 3: Sign API Requests (waiting...)

Let's Encrypt requires that you sign all of your requests to them with your account private key. Below are the requests that you will need to sign. The commands to do this are generated below so you can copy-and-paste them into your terminal. Be sure to change the account private key location so it points to your real private key.

(how do I do this?)

This command asks to register your account key (or look it up if you have already registered) and accepts the terms and conditions for Let's Encrypt.

How to generate this signature:

Copy and paste the command below into your terminal (if your account private key isn't at "./account.key", change "./account.key" in the command to wherever it exists).
Copy and paste the hex encoded signature output from the command into the text field below that command.

Accept the Let's Encrypt terms and conditions:

(how do I do this?)

This command sets your account contact email to what you put in Step 1. If you had already set this email when you ran these commands previously, this command will simply set the same email again.

How to generate this signature:

Copy and paste the command below into your terminal (if your account private key isn't at "./account.key", change "./account.key" in the command to wherever it exists).
Copy and paste the hex encoded signature output from the command into the text field below that command.

Update your account email (foo@foo.com):

(how do I do this?)

This command creates an order for the domains you included in your certificate signing request (CSR) in Step 2.

How to generate this signature:

Copy and paste the command below into your terminal (if your account private key isn't at "./account.key", change "./account.key" in the command to wherever it exists).
Copy and paste the hex encoded signature output from the command into the text field below that command.

Create your certificate order:

Step 4: Verify Ownership (waiting...)

Step 5: Install Certificate (waiting...)

Congratulations! Let's Encrypt has issued you a certificate for your domains! Below is the signed certificate you can use for your website.

(how do I install this?)

Nginx installation instructions:

Copy and paste the below certificates (the text contains both your domain certificate and intermediate certificate) into a text file called "chained.pem".
If not done already, generate non-default dhparams.
openssl dhparam -out dhparam.pem 4096

Copy "chained.pem" and "dhparam.pem" to /etc/ssl/certs/.

scp chained.pem root@foo.com:/etc/ssl/certs/chained.pem
scp dhparam.pem root@foo.com:/etc/ssl/certs/dhparam.pem

Copy "domain.key" /etc/ssl/private/.
scp domain.key root@foo.com:/etc/ssl/private/domain.key

Update your webserver config to use https (examples below).

server {
    listen 443;
    server_name foo.com;
    ssl on;
    ssl_certificate /etc/ssl/certs/chained.pem;
    ssl_certificate_key /etc/ssl/private/domain.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache shared:SSL:50m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_prefer_server_ciphers on;

    location / {
        return 200 'Hello world!';
        add_header Content-Type text/plain;
    }
}

Apache installation instructions:

Copy and paste the first certificate section (e.g. the first "-----BEGIN CERTIFICATE-----" section) into a text file named "domain.crt".
Copy and paste the second certificate section (e.g. the second "-----BEGIN CERTIFICATE-----" section) into a text file named "intermediate.pem".

Copy "domain.crt" and "intermediate.pem" to /etc/ssl/certs/.

scp domain.crt root@foo.com:/etc/ssl/certs/domain.crt
scp intermediate.pem root@foo.com:/etc/ssl/certs/intermediate.pem

Copy "domain.key" /etc/ssl/private/.
scp domain.key root@foo.com:/etc/ssl/private/domain.key

Update your webserver config to use https (examples below).

<VirtualHost _default_:443>
        ServerName foo.com:443
        ServerAlias www.foo.com
        DocumentRoot /var/www/foo.com/html
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/domain.crt
        SSLCertificateKeyFile /etc/ssl/private/domain.key
        SSLCertificateChainFile /etc/ssl/certs/intermediate.pem
        SSLProtocol TLSv1.2
        SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        SSLHonorCipherOrder on
        <Directory /var/www/foo.com/html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

Signed Certificate Chain:

Get HTTPS for free! Update: Added wildcard certificate support!

ERROR: Your browser is not compatible with this website (this website needs WebCryptoAPI's crypto.subtle.digest()). Please upgrade to a modern browser (Firefox, Chrome, Safari, Edge, IE 11+).

Step 1: Account Info

Step 2: Certificate Signing Request

Step 3: Sign API Requests (waiting...)

Step 4: Verify Ownership (waiting...)

Step 5: Install Certificate (waiting...)