AutoSSL

Issue Certificate

Learn how to request and issue SSL certificates using AutoSSL.

Overview

Issuing a new SSL certificate in AutoSSL involves two main phases:

  1. Configuring the certificate request (domains, renewal strategy, and cryptography settings).
  2. Verifying your domain ownership via DNS (CNAME records) to authorize the Certificate Authority (CA) to issue the certificate.

Certificate Application

Step 1: Request a New Certificate

To start, navigate to the Certificates page and click on Create Certificate. You will be presented with a configuration form.

1. Select Certificate Authority (CA)

Choose the Certificate Authority that will issue your SSL certificate. Currently, AutoSSL supports:

  • Let's Encrypt: A free, automated, and open certificate authority.

2. Domain Configuration

Enter the domain names you want the certificate to protect.

  • You can add multiple domains by clicking Add Domain.
  • Wildcard domains are fully supported (e.g., *.example.com).
  • Note: Domain names cannot overlap or repeat. For example, you cannot include both www.autossl.dev and *.autossl.dev in the same certificate request, as the wildcard already covers the specific subdomain.

3. Basic Settings

Configure how AutoSSL manages this certificate over time:

  • Certificate Name: (Optional) Provide a custom name for easy identification. If left empty, AutoSSL will auto-generate one based on your primary domain.
  • Auto Renew: Enable this to ensure AutoSSL automatically renews your certificate before it expires, ensuring zero downtime.
  • Renew Days Before Expiry: If Auto Renew is enabled, you can specify how many days before expiration the renewal should trigger (between 15 to 45 days). 21 days is recommended to ensure enough time to handle any potential renewal issues.

4. Advanced Settings (Cryptography)

You can customize the technical parameters of the Certificate Signing Request (CSR):

  • Signature Algorithm:
    • RSA: Offers better compatibility with legacy systems. You can choose a key length of 2048-bit (recommended), 3072-bit, or 4096-bit.
    • ECDSA: Offers better performance and smaller key sizes. You can choose a curve of P-256 (best compatibility), P-384 (higher security), or P-521.
  • Hash Algorithm: Choose between SHA-256, SHA-384, or SHA-512 for the certificate signature.

Once configured, click Next: Configure DNS Verification to create the certificate group and proceed to the verification step.

Step 2: Verify Domain Ownership

Before the Certificate Authority can issue your certificate, you must prove that you control the requested domains. AutoSSL uses DNS-based challenge verification.

1. Configure CNAME Records

AutoSSL will generate specific CNAME records for each domain in your request.

  • Log in to your domain registrar or DNS hosting provider (e.g., Cloudflare, Route53, GoDaddy).
  • Add the provided CNAME records to your DNS settings. For a detailed guide on how to add DNS records for various providers, please refer to How To Add DNS Records.

Important: After successfully configuring the DNS CNAME records, do not delete them. If the records are removed, AutoSSL will not be able to automatically renew your certificates in the future.

2. Verify Status

After adding the DNS records, return to AutoSSL.

  • DNS propagation can take a few minutes.
  • AutoSSL will check the status of your CNAME records. You can manually trigger a check to refresh the status.

3. Start Issuing Certificate

Once all domains are marked as Verified, the Start Issuing Certificate button will become enabled.

  • Click the button to instruct the Certificate Authority to finalize the verification and issue the certificate.
  • After a short processing time, your new SSL certificate will be ready, and you can proceed to configure Deployments to push it to your infrastructure.

Auto Renewal and Deployment

When configuring the certificate (as shown in Step 1), if you enable Auto Renew, AutoSSL will automatically attempt to renew the certificate before it expires (based on the Renew Days Before Expiry setting).

AutoSSL's true power shines when Auto Renew is combined with Deployments:

  1. Automatic Certificate Renewal: When the renewal threshold is reached (e.g., 21 days before expiration), AutoSSL will automatically issue a new certificate from the CA without any manual intervention, provided your DNS verification records (CNAME) remain valid.
  2. Triggering Auto Deployments: Once the new certificate is successfully issued, AutoSSL will automatically trigger all configured Deployments for this certificate that have the Auto Deploy option enabled.
  3. Zero Downtime: The newly issued certificate is automatically pushed and applied to your infrastructure (e.g., CDN, Load Balancers, Serverless functions), ensuring that your applications maintain secure HTTPS connections with zero downtime and zero manual effort.

Welcome to AutoSSL

Discover AutoSSL - The automated SSL certificate management platform.

Overview

Overview of SSL certificate deployment in AutoSSL.