Let's Encrypt® certificate
You can use Certificate Manager to create Let's Encrypt certificates. Request a certificate and pass the domain rights check. After that, Certificate Manager manages your certificates by interacting with Let's Encrypt on your behalf.
Let's Encrypt provides Domain Validation TLS certificates with a 90-day validity period. If you need Organization Validation or Extended Validation certificates, use a third-party certificate authority to get the certificate, and then upload it to Certificate Manager. For more information, see User certificate.
Get a certificate
Specify the list of domains you need to issue a certificate for.
Select the type of domain rights check:
When the request is created, the certificate status becomes
To issue a certificate, check the rights for the domains you specified in the previous step.
Depending on the type of check selected, put the file on the web server or add a
TXTrecord with the desired value on the DNS. To learn more about the types of checks and ways to pass them, see Check rights for domain.
When the domain rights are checked, the certificate is issued and its status becomes
Issued. You can use the certificate in services that are integrated with Certificate Manager.
If you fail to pass the domain rights check within a week, the certificate isn't issued and its status becomes
Renew a certificate
To renew a certificate, follow the steps below. Keep track of the lifecycle of your certificates to renew them on time.
Certificate Manager initiates the certificate renewal procedure 30 days before it expires.
After the renewal starts, the certificate status changes to
Check the rights for the domains.
Depending on the type of check you selected, update the file on the web server or update the
TXTrecord on the DNS to the new value. For more information, see Check rights for domain.
After you check the rights for the domains, the certificate renews and its status becomes
Issued. All the resources that use the certificate will get its new version.
The certificate isn't renewed if the domain rights check fails for at least one domain. The certificate status changes to
Renewal_failed. However, the certificate stays valid until it expires.
Some time after the failed renewal, a new attempt is made to update the certificate.
To avoid issues accessing resources that use the certificate with the
- Before the certificate expires, create a new Let's Encrypt certificate.
- Check the rights for the domains.
- Use the new certificate in your resources.