Issue certificates via DNS-01 against Cloudflare, Route 53, DigitalOcean, or by adding TXT records yourself.
Used for renewal notices and important updates from Let's Encrypt.
Choose a DNS provider to continue.
Create at dash.cloudflare.com/profile/api-tokens with Zone : DNS : Edit for the relevant zones.
Create an IAM user (or use temporary keys) with the AmazonRoute53FullAccess policy or a tighter custom policy that grants route53:ListHostedZones, route53:GetChange, and route53:ChangeResourceRecordSets on the relevant hosted zone(s).
route53:ListHostedZones
route53:GetChange
route53:ChangeResourceRecordSets
Create at cloud.digitalocean.com/account/api/tokens with Read and Write scopes (domain resource).
No API key required. After you click Request certificate, the next page will show the TXT records to add at your registrar. Once they're in place, click Complete to finish issuance.
Use this when your certificate domain's DNS is at a registrar without an API (Hover, Network Solutions, etc) but you control a different zone at the provider above. For each requested domain D you must pre-create a CNAME at the registrar: _acme-challenge.D → _acme-challenge.D.<alias zone>. Leave blank for the normal flow.
D
_acme-challenge.D
_acme-challenge.D.<alias zone>
This provider does not support CNAME alias mode in the current version.
The Common Name (CN) for the certificate.
Adds *.<primary> as an additional SAN.
Each name must be reachable via the provider above (or via CNAME alias if you set one).
Optional pre-flight: looks up each domain's CAA DNS records and confirms Let's Encrypt is allowed to issue. A blocking CAA record is a common silent cause of issuance failure. This is advisory — it won't stop you submitting.
CAA
Leave unchecked to generate a fresh key (choose the type below). Check this to keep an existing one (renewals, key continuity, pre-generated keys) by uploading or pasting it below.
ECDSA keys are smaller and faster and are supported by all modern clients; RSA maximizes compatibility with older systems. Ignored when you supply your own key.
Either upload the file or paste its contents — the file takes precedence if both are given.
PEM-encoded RSA, EC, or Ed25519 private key. 32 KB maximum.
Used once with openssl pkey to decrypt the key, then discarded.
openssl pkey
Used to encrypt the .pfx file. You'll need this password to import the certificate on Windows or IIS.
Issues a non-trusted test certificate. Useful for verifying the workflow without hitting production rate limits.
This typically takes 30-90 seconds. Please don't close this tab.