Yandex Certificate Manager

A service for managing TLS certificates.

Convenient control
Create or import TLS certificates and keep track of their validity in the management console.
Let’s Encrypt® certificates
You can get and update Let’s Encrypt certificates automatically. To do this, you only need to confirm your domain rights.
Custom certificates
You can upload certificates provided by third-party certification authorities yourself and use them in Yandex.Cloud.
Integration with other services
Select certificates from Yandex Certificate Manager for Object Storage and provide access to your static websites via HTTPS.
Domains for Yandex API Gateway
Use domains with confirmed rights when accessing the API. In this case, a certificate linked to the domain is used to provide a TLS connection.
Continuous operation
After you upload and update certificates, they are updated on all resources at the same time.

Getting started

Create a Let’s Encrypt certificate and confirm your domain access rights. Once you do that, we’ll take care of certificate management.

Create certificate

Questions and answers

Which Let’s Encrypt certificates are available in Certificate Manager?

Let’s Encrypt provides Domain Validation TLS certificates with a 90-day validity period. If you need Organization Validation or Extended Validation certificates, use a third-party certification authority to get the certificate and then upload it to Certificate Manager.

Let’s Encrypt provides Domain Validation TLS certificates with a 90-day validity period. If you need Organization Validation or Extended Validation certificates, use a third-party certification authority to get the certificate and then upload it to Certificate Manager.

How are domain rights verified?

Certificate Manager uses two types of verification: HTTP and DNS. When you create a certificate, you can choose any type of check.

You only need to check rights for domains for Let’s Encrypt certificates. Certificate Manager doesn’t check domain rights for imported user certificates.

Certificate Manager uses two types of verification: HTTP and DNS. When you create a certificate, you can choose any type of check.

You only need to check rights for domains for Let’s Encrypt certificates. Certificate Manager doesn’t check domain rights for imported user certificates.

Why do I need a TLS certificate?

TLS (Transport Layer Security) is a security protocol that provides a secure connection between a web server (website) and browser. By installing a TLS certificate on your domain, you ensure encrypted data transfers via HTTPS.

TLS (Transport Layer Security) is a security protocol that provides a secure connection between a web server (website) and browser. By installing a TLS certificate on your domain, you ensure encrypted data transfers via HTTPS.

When can a certificate be updated automatically?

Let’s Encrypt certificates are verified automatically if the following conditions are met:

  • A certificate is going through the renewal procedure and its status is Renewing. The certificate renewal procedure is initiated 30 days before it expires.
  • The certificate is used in the HTTPS configuration of a static website in Object Storage.
  • For each certificate domain, the following is configured:
  • An alias for the static website bucket where the certificate is used.
  • Or a redirect to the domain with the alias for the bucket.
  • The certificate is not a [Wildcard certificate] (https://en.wikipedia.org/wiki/Wildcard_certificate): it doesn’t contain masks for subdomains.

Let’s Encrypt certificates are verified automatically if the following conditions are met:

  • A certificate is going through the renewal procedure and its status is Renewing. The certificate renewal procedure is initiated 30 days before it expires.
  • The certificate is used in the HTTPS configuration of a static website in Object Storage.
  • For each certificate domain, the following is configured:
  • An alias for the static website bucket where the certificate is used.
  • Or a redirect to the domain with the alias for the bucket.
  • The certificate is not a [Wildcard certificate] (https://en.wikipedia.org/wiki/Wildcard_certificate): it doesn’t contain masks for subdomains.

Get started with Certificate Manager