FREE SSL CERTIFICATE

You can get your SSL certificate in 5 minutes! Don't forget to test your webserver configuration, after you successfully installed your free certificate. Never give away your private key!!!

Step 1: Account Info

Let's Encrypt requires that you register an account email and public key before issuing a certificate. The email is so that they can contact you if needed, and the public key is so you can securely sign your requests to issue/revoke/renew your certificates. Keep your account private key secret! Anyone who has it can impersonate you when making requests to Let's Encrypt!

(how do I generate this?)

How to generate a new account keypair using openssl:

Generate an account private key if you don't have one:
(KEEP ACCOUNT.KEY SECRET!)
openssl genrsa 4096 > account.key
Print your public key:
openssl rsa -in account.key -pubout
Copy and paste the public key into the box below.

Account Public Key:

Step 2: Certificate Signing Request

This is the certificate signing request (CSR) that you send to Let's Encrypt in order to issue you a signed certificate. It contains the website domains you want to issue certs for and the public key of your TLS private key. Keep your TLS private key secret! Anyone who has it can man-in-the-middle your website!

(how do I generate this?)

How to generate a new Certificate Signing Request (CSR):

Generate a TLS private key if you don't have one:
(KEEP DOMAIN.KEY SECRET!)
openssl genrsa 4096 > domain.key

Generate a CSR for your the domains you want certs for:
(replace "foo.com" with your domain)
Linux:

#change "/etc/ssl/openssl.cnf" as needed:
#  Debian: /etc/ssl/openssl.cnf
#  RHEL and CentOS: /etc/pki/tls/openssl.cnf
#  Mac OSX: /System/Library/OpenSSL/openssl.cnf

openssl req -new -sha256 -key domain.key -subj "/" \
  -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
  <(printf "[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))

Copy and paste the CSR into the box below.

Certificate Signing Request:

Step 3: Sign API Requests (waiting...)

Let's Encrypt requires that you sign all of your requests to them with your account private key. Below are the requests that you will need to sign. The commands to do this are generated below so you can copy-and-paste them into your terminal. Be sure to change the account private key location so it points to your real private key.

(how do I do this?)

How to generate the needed signatures:

Copy and paste each command below into your terminal (if your account private key isn't at "./account.key", change "./account.key" in the command to wherever it exists).
Copy and paste the hex encoded signature output from the command into the text field below that command.

Run these signature commands in your terminal:

Step 4: Verify Ownership (waiting...)

Let's Encrypt requires you prove you own the domains you have in your CSR. You can do this by serving a specific file at a specific url under your domains. Below are the files you need to serve along with some copy-and-paste commands you can run on your website to start serving the file. Once you are serving the file on your website, click "I'm now running this on...". After that, you need to tell Let's Encrypt to check the above files to verify ownership of your domains. This request needs to be signed with your account private key. Below are the verification requests that you will need to sign. The commands to do this are generated below so you can copy-and-paste them into your terminal. Be sure to change the account private key location so it points to your real private key.

Domain: foobar.com

(how do I do this?)

How to generate the needed signatures:

Navigate in the terminal to the directory with account private key ("account.key" or whatever you named it).
Copy and paste each command below into your terminal (if your account private key isn't named "account.key", change "account.key" in the command to whatever you named it).
Copy and paste the hex encoded signature output from the command into the text field below that command.

Run this signature command in your terminal:

Option 1 - python server Option 2 - file-based

(how do I do this?)

How to serve the challenge response on your domain:

SSH into your domain as someone with sudo permissions:
ssh ubuntu@foobar.com
Stop any webserver running on port 80, if any. If you had previously been running another python command, you can kill it with Ctrl+C):
sudo service nginx stop <-- example for nginx
sudo apachectl -k graceful-stop <-- example for apache
Copy and paste the python command below into your terminal. This command starts a temporary webserver that serves nothing but the challenge response. You only need to keep this running briefly.
Open the link in a new window to make sure it's working:
Click "I'm now running this command..." button when the file is being served on your domain.

Run this command on foobar.com's server:

(how do I do this?)

How to host this file on your server:

SSH into your domain as someone with write access to your static web directory:
```
ssh ubuntu@foobar.com
```
Create the ".well-known/acme-challenge/" directory in your webserver's static file path:
```
mkdir -p /path/to/www/.well-known/acme-challenge/
```
Add the static folder to your webserver's config (if you haven't already):
```
server {...
```
Create the file with the necessary contents:
```
echo ...
```
Open the link in a new window to make sure it's working:
Click "I'm now serving this file..." button when the file is being served on your domain.

Under this url:

Serve this content:

Step 5: Install Certificate (waiting...)

Congratulations! Let's Encrypt has issued you a certificate for your domains! Below is the signed certificate you can use for your website.

(how do I install this?)

Nginx installation instructions:

Copy and paste both the below domain certificate and the below intermediate certificate into the same text file called "chained.pem".
If not done already, generate non-default dhparams.
openssl dhparam -out dhparam.pem 4096

Copy "chained.pem" and "dhparam.pem" to /etc/ssl/certs/.

scp chained.pem root@foo.com:/etc/ssl/certs/chained.pem
scp dhparam.pem root@foo.com:/etc/ssl/certs/dhparam.pem

Copy "domain.key" /etc/ssl/private/.
scp domain.key root@foo.com:/etc/ssl/private/domain.key

Update your webserver config to use https (examples below).

server {
    listen 443;
    server_name foo.com;
    ssl on;
    ssl_certificate /etc/ssl/certs/chained.pem;
    ssl_certificate_key /etc/ssl/private/domain.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
    ssl_session_cache shared:SSL:50m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_prefer_server_ciphers on;

    location / {
        return 200 'Hello world!';
        add_header Content-Type text/plain;
    }
}

Apache installation instructions:

Copy and paste the below domain certificate into file "domain.crt".
Copy and paste the below intermediate certificate into file "intermediate.pem".

Copy "domain.crt" and "intermediate.pem" to /etc/ssl/certs/.

scp domain.crt root@foo.com:/etc/ssl/certs/domain.crt
scp intermediate.pem root@foo.com:/etc/ssl/certs/intermediate.pem

Copy "domain.key" /etc/ssl/private/.
scp domain.key root@foo.com:/etc/ssl/private/domain.key

Update your webserver config to use https (examples below).

<VirtualHost _default_:443>
        ServerName foo.com:443
        ServerAlias www.foo.com
        DocumentRoot /var/www/foo.com/html
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/domain.crt
        SSLCertificateKeyFile /etc/ssl/private/domain.key
        SSLCertificateChainFile /etc/ssl/certs/intermediate.pem
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
        SSLHonorCipherOrder on
        <Directory /var/www/foo.com/html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

Signed Certificate:

Intermediate Certificate:

FREE SSL Certificate in 5 minutes

ERROR: Your browser is not compatible with this website (this website needs WebCryptoAPI's crypto.subtle.digest()). Please upgrade to a modern browser (Firefox, Chrome, Safari, IE 11+).

Step 1: Account Info

Step 2: Certificate Signing Request

Step 3: Sign API Requests (waiting...)

Step 4: Verify Ownership (waiting...)

Domain: foobar.com

Step 5: Install Certificate (waiting...)