Generate Lets Encrypt Free HTTPS SSL Certificate

By Anil Gupta,  24 Dec, 17       0  Tech Tips

Generate 2048 bit https certificate for use with google load balancer or AWS cloud. Step by step process to get free SSL cert with zeroSSL online service using Lets Encrypt signing authority.


If you are looking at generating Free HTTPS certificate for WordPress, then you should use WP-Encrypt plugin for wordpress. Its much more easier and integrates with your blog seamlessly.

The certificate generated by WP encrypt has 4096 bit encryption level (the more the better), which unfortunately is not supported by Google Cloud Load Balancer. They only accept 2048 bit encrypted keys.

We will walk though an online service called zerossl.com, which internally uses Lets Encrypt to generate the FREE HTTPS certificate.

Generate a 2048 bit CSR (Certificate request file)

  1. Do not go directly to certificate generation on zero SSL as it generates CSR with 4096 key automatically.

    Instead, we will first explicitly generate a CSR with 2048 strength here https://zerossl.com/free-ssl/#csr
  2. Fill your domain names like ‘am22tech.com’, ‘www.am22tech.com’, ‘cdn.am22tech.com’ etc. Include all the names that you want the certificate to be issued.
    1. Choose ‘2048’ bits.
    2. Fill up your company information.
    3. Leave the domain key box (left box) and CSR box (right box) empty. We are going to generate them.
  3. Click ‘Generate‘. This step generates two files:
    1. Domain Private key file (Called ‘Private key file‘ in google Load Balancer).

      Download and save this file as ‘domain-private-key-use-in-g-load-balancer.pem‘ on your local machine.
    2. The CSR file. The CSR is useful if you need to reissue the certificate (at the time of renewal) or if you have to run through these steps again. Download and save this file as ‘csr.pem-use-for-renewal.txt‘.
      This contains your domain information that you just entered like your company information and domain names.
2048 bit CSR generation
2048 bit CSR generation

Generate FREE HTTPS signed certificate by Lets Encrypt

  1. Go to this link: https://zerossl.com/free-ssl/#crt
    1. Enter your email. This is important as this email will be used to inform you about certificate expiry.
    2. Leave private key file section on left hand side box blank. It will be generated fresh.
    3. Copy and paste the contents of CSR file (csr.pem-use-for-renewal.txt) in right hand side box. This is the file from above step.
    4. Choose DNS as the method to verify. Its much easier. Http method would ask you to add a file on web server.
    5. Accept ZeroSSL TOS.
    6. Accept Let’s Encrypt SA (pdf).
  2. Sign certificate with Lets Encrypt
    Sign certificate with Lets Encrypt
  3. Click ‘Next’. A key file is generated on the left hand side box. This file is a private key file. Download and save this file as ‘lets-encrypt-private-key-file.pem‘. This will will be required at the time of renewal of this certificate.

    The identity has two components: an email address which is optional but recommended for expiration notices etc and a RSA key for encryption and validation of commands. The RSA key is linked to ALL Lets Encrypt Activities (such as running requests, revocations and listing current certificates. This is a very important key. The RSA key will be needed for generating other certificates.

  4. Click Next again. You are now shown the DNS settings.
    Verify certificate using DNS
    Verify certificate using DNS
    1. Go to your DNS service like https://domains.google.com and change/add these values. Keep the TTL value low like 1m (= 1 minute) to help them propagate and help zero SSL verify it quickly.
      DNS records in Google domains
      DNS records in Google domains
    2. Wait for about 3 minutes and then click ‘next’.
  5. On the next screen, you see the signed certificate file.
    Signed Lets Encrypt certificate
    Signed Lets Encrypt certificate

  6. Download and save this file as ‘domain-crt-contains-2-certs-zero-ssl-last-step.txt‘.
  7. Open this file in notepad. Cut the two parts separately and save them in a separate files as:
    1. First part: Save as ‘public-key-certifcate-derived-from-2-cert-file-use-in-g-load-balancer.pem‘.
      For AWS and Google Load Balancer, this file is ‘public key certificate’.
    2. Second part: Save as ‘chain-certicate-derived-from-2-cert-file-use-in-g-load-balancer.pem‘.
      For AWS and Google Load Balancer, this file is called as either “Intermediate certificate” or “Certificate chain” or “CA Bundle“.

HTTPS Certificate Files

You should now have the following files with you to help you set up https at AWS cloud or Google Load Balancer:

  1. public-key-certifcate-derived-from-2-cert-file-use-in-g-load-balancer.pem
  2. chain-certicate-derived-from-2-cert-file-use-in-g-load-balancer.pem
  3. domain-crt-contains-2-certs-zero-ssl-last-step.txt

You also have these two files at this time. These two files would be needed at the time of renewal of the https certificate.

  1. lets-encrypt-private-key-file.pem
  2. csr.pem-use-for-renewal.txt

Keep all 5 of them at a place where you can easily re-fetch them as needed.

The certificate is valid for 90 days and are free to renew.

It is strongly advised to renew your certificate in 60 days, if you want to avoid the DNS re-check. Between 60 to 90 days, Lets encrypt forces you to re-verify the domain either by http of DNS method.

Set up a calendar reminder on 59th day to renew and update the certificate on your server.

To renew, just repeat the process using the same two files mentioned above.

Using the same CSR means that you do not need a new domain key (it will stay the same) and will only need to update the certificate file on your server.