Get HTTPS for free! Update: Added wildcard certificate support!

You can now get free https certificates (incuding wildcard certificates) from the non-profit certificate authority Let's Encrypt! This is a website that will take you through the manual steps to get your free https certificate so you can make your own website use https! This website is open source and NEVER asks for your private keys. Never trust a website that asks for your private keys!
NOTE: This website is for people who know how to generate certificate signing requests (CSRs)! If you're not familiar with how to do this, please use the official Let's Encrypt official client that can automatically issue and install https certificates for you. This website is designed for people who know what they are doing and just want to get their free https certificate.
If you need to renew a certificate, simply complete these steps below again.

Step 1: Account Info

Let's Encrypt requires that you register an account email and public key before issuing a certificate. The email is so that they can contact you if needed, and the public key is so you can securely sign your requests to issue/revoke/renew your certificates. Keep your account private key secret! Anyone who has it can impersonate you when making requests to Let's Encrypt!

How to generate a new account keypair using openssl:
  1. Generate an account private key if you don't have one:
    (KEEP ACCOUNT.KEY SECRET!)
    openssl genrsa 4096 > account.key
  2. Print your public key:
    openssl rsa -in account.key -pubout
  3. Copy and paste the public key into the box below.


Step 2: Certificate Signing Request

This is the certificate signing request (CSR) that you send to Let's Encrypt in order to issue you a signed certificate. It contains the website domains you want to issue certs for and the public key of your TLS private key. Keep your TLS private key secret! Anyone who has it can man-in-the-middle your website!
How to generate a new Certificate Signing Request (CSR):
  1. Generate a TLS private key if you don't have one:
    (KEEP DOMAIN.KEY SECRET!)
    openssl genrsa 4096 > domain.key
  2. Generate a CSR for your the domains you want certs for:
    (replace "foo.com" with your domain)
    Linux:
        #change "/etc/ssl/openssl.cnf" as needed:
        #  Debian: /etc/ssl/openssl.cnf
        #  RHEL and CentOS: /etc/pki/tls/openssl.cnf
        #  Mac OSX: /System/Library/OpenSSL/openssl.cnf
    
        openssl req -new -sha256 -key domain.key -subj "/" \
          -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
          <(printf "\n[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))
        
  3. Copy and paste the CSR into the box below.


Step 3: Sign API Requests (waiting...)


Step 4: Verify Ownership (waiting...)


Step 5: Install Certificate (waiting...)