# Integrating Let's Encrypt Certificate Authority with Key Manager Plus Cloud Key Manager Plus Cloud facilitates end-to-end certificate life-cycle management for your public facing websites by integrating with the renowned open CA, Let's Encrypt. This means that users can procure domain-validated certificates from Let's Encrypt for their public domains, deploy, track, request alerts on expiry, and renew certificates; everything done entirely from Key Manager Plus Cloud. Follow the step-by-step procedure below to integrate Let's Encrypt with Key Manager Plus Cloud: 1. [Creating a Let's Encrypt Account](https://www.manageengine.com/key-manager/help-cloud/ca-letsencrypt.html#Creating_a_Lets_Encrypt_Account) 2. [Creating a Certificate Request](https://www.manageengine.com/key-manager/help-cloud/ca-letsencrypt.html#Creating_a_Certificate_Request) 3. [Procuring and Saving Certificates](https://www.manageengine.com/key-manager/help-cloud/ca-letsencrypt.html#Procuring_and_Saving_Certificates) 4. [Managing Certificates Issued by Let's Encrypt CA](https://www.manageengine.com/key-manager/help-cloud/ca-letsencrypt.html#Managing_Certificates_Issued_by_Lets_Encrypt_CA) ## 1. Creating a Let's Encrypt Account The first step in requesting for certificates from Let's Encrypt CA is creating a Let's Encrypt account (skip to the next section if you already have an account). This is a one-time process and can be done from Key Manager Plus Cloud itself. To create a Let's Encrypt account, follow the steps below: 1. Navigate to **Integrations >> ACME Integrations >> Let's Encrypt >> Manage**. 2. Under the **Account** tab, click **New Registration**. ![ca-letsencrypt-1](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-letsencrypt-1.png) 3. In the UI that opens, provide an account name and specify a valid email address. Choose either **Production** or **Staging**, based on the URL that will be used. 4. Accept the **Let's Encrypt Subscriber Agreement** by enabling the checkbox and click **Register**. An account with Let's Encrypt is created. Users can update the account email address, delete it from Key Manager Plus Cloud, or deactivate the account entirely. Please note that deleting the account only removes it from Key Manager Plus Cloud. Even if the account is deleted here, it will still be active in the Let's Encrypt portal. To add the same account back to Key Manager Plus Cloud, export the key and use the **Add Account** option with the same details used before. However, if the **Deactivate** option is selected while deleting the account, then the Let's Encrypt account will be completely removed, and it cannot be added back to Key Manager Plus Cloud with the same details. **Caution** This privilege is available only for administrators, and only one Let's Encrypt account can be created from Key Manager Plus Cloud. ## 2. Creating a Certificate Request After creating an account with Let's Encrypt, users can generate a certificate request. A challenge will then be presented, which should be fulfilled for Let's Encrypt to validate the domain and issue the certificate. To create a certificate request, follow the steps below: 1. Navigate to **Integrations >> ACME Integrations >> Let's Encrypt** and click **Certificate Request**. 2. In the form that appears, fill in the domain name, select the **Challenge Type, Key Algorithm, Algorithm Length, Signature Algorithm, Keystore Type**, and enter or generate the **Keystore Password**. Click **Create**. ![ca-letsencrypt-2](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-letsencrypt-2.png) 3. For dns-01 challenge type, users can choose and assign a DNS account from the dropdown if they have already configured a DNS credential. This will be used for automatic challenge verification for all the domains specified in the request. To add a DNS account, refer to [this document](https://www.manageengine.com/key-manager/help-cloud/configure-dns-account.html). 4. In addition, users have options to change the private key whenever the certificate is renewed. 1. Select **New Key** to change the key on each renewal. 2. Select **Same Key** to retain the key on each renewal. 3. Select **Import Key** to use your own key. This key will be used for the first time when the certificate is generated and also for subsequent renewals. **Additional Details** - Key Manager Plus Cloud supports wildcard certificate requests for DNS based challenges. For wildcard certificate requests, enter the common name in the format: *.domainname.com. - One certificate can secure up to 100 domains. You can enter a maximum of 100 names in the 'domain name' field out of which the first name is considered the common name, and the rest are treated as **Subject Alternative Names (SAN)**. - Option to change the private key currently works only with the RSA key algorithm. Key Manager Plus Cloud expedites domain validation through automatic verification of HTTP-01 and DNS-01 challenges (currently Azure, Cloudflare, Amazon Route 53, RFC 2136 DNS update, GoDaddy DNS, ClouDNS, and DNS Made Easy). For this to take effect, you have to initially map the end-server details to Key Manager Plus Cloud, which is a one-time process. For more details, refer to [this document](https://www.manageengine.com/key-manager/help-cloud/ssl-integrations-dcv.html). ## 3. Procuring and Saving Certificates On successful verification, Let's Encrypt issues the requested certificate and the window automatically redirects to a page which displays the certificate and its status (status is marked as **Available** if the challenge verification is successful, and **Failed** if the challenge verification failed). To procure and save the certificate, follow the steps below: 1. Click the **Available** button to save the certificate in Key Manager Plus Cloud and email or export it. 2. On saving, the certificate gets added, which can be viewed from the **SSL >> Certificates** tab. 3. If the challenge fails, click **New challenge** to obtain another set of challenges and repeat the above process. ## 4. Managing Certificates Issued by Let's Encrypt CA This section explains how to renew, revoke, and delete certificates issued by Let's Encrypt CA. **Additional Detail** To view the history of the certificates issued by Let's Encrypt CA, click the **Certificate History** icon in the certificate list. ### 4.1 Renewing Certificates Certificates issued by Let's Encrypt have a life-time of ninety days after which they are not valid. Also, as mentioned above, the domain authentication validity period is sixty days, which means that the user has to fulfill the challenges once in every sixty days in order to prove his ownership of the domain. To renew a certificate manually, follow these steps: 1. Navigate to **Integrations >> ACME Integrations >> Let's Encrypt**. 2. Select the certificate you wish to renew and click **Renew Certificate** from the top menu. 3. Once the renewal is complete, the certificate status will be updated to **Renewed** in the **Certificate Status** bar. ![ca-letsencrypt-3](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-letsencrypt-3.png) 4. Click on it to save the renewed version of the certificate to Key Manager Plus Cloud. **Caution** The certificate should be saved after renewal in order to be updated in the certificate inventory. Else, only the old version of the certificate will continue to remain in the inventory. ### 4.2 Revoking Certificates Revoking a certificate renders the certificate invalid and immediately removes the HTTPS from the website. To revoke a certificate, follow the steps below: 1. Navigate to **Integrations >> ACME Integrations >> Let's Encrypt**. 2. Select a certificate you want to revoke and click **Revoke Certificate** from the top menu. The certificate will be revoked and no longer remains valid. ### 4.3 Deleting Certificates Deleting a certificate removes the certificate from Key Manager Plus Cloud, but the certificate remains valid. To delete a certificate, follow the steps below: 1. Navigate to **Integrations >> ACME Integrations >> Let's Encrypt**. 2. Select the certificate you want to delete and click **More >> Delete**. 3. If prompted, click **OK** to confirm the deletion. Now, the certificate will be deleted from Key Manager Plus Cloud.