Let's Encrypt Certificate Request

Issue certificates via DNS-01 against Cloudflare, Route 53, DigitalOcean, or by adding TXT records yourself.

Account

Used for renewal notices and important updates from Let's Encrypt.

DNS provider

Create at dash.cloudflare.com/profile/api-tokens with Zone : DNS : Edit for the relevant zones.

Create an IAM user (or use temporary keys) with the AmazonRoute53FullAccess policy or a tighter custom policy that grants route53:ListHostedZones, route53:GetChange, and route53:ChangeResourceRecordSets on the relevant hosted zone(s).

Create at cloud.digitalocean.com/account/api/tokens with Read and Write scopes (domain resource).

No API key required. After you click Request certificate, the next page will show the TXT records to add at your registrar. Once they're in place, click Complete to finish issuance.

Use this when your certificate domain's DNS is at a registrar without an API (Hover, Network Solutions, etc) but you control a different zone at the provider above. For each requested domain D you must pre-create a CNAME at the registrar: _acme-challenge.D_acme-challenge.D.<alias zone>. Leave blank for the normal flow.

Domains

The Common Name (CN) for the certificate.

Each name must be reachable via the provider above (or via CNAME alias if you set one).

Existing private key (optional)

Leave blank to have certbot generate a fresh 4096-bit RSA key. Provide a key here to keep an existing one (renewals, key continuity, pre-generated keys). Either upload the file or paste its contents — the file takes precedence if both are given.

PEM-encoded RSA, EC, or Ed25519 private key. 32 KB maximum.

Used once with openssl pkey to decrypt the key, then discarded.

PFX bundle password

Used to encrypt the .pfx file. You'll need this password to import the certificate on Windows or IIS.

Options
DNS-01 issuance typically takes 30-90 seconds while the provider's DNS propagates.