Here’s a well-structured and comprehensive tutorial based on your notes, with added explanations, examples, and a professional tone suitable for blog publication or internal documentation.
๐ SSL/TLS Website Certification: How It Works and How to Set It Up & Renew with acme.sh
๐ Suggested Titles
- โHow SSL/TLS Certificates Work: Setup & Manual Renewal using acme.shโ
- โThe Ultimate Guide to Website Certificates: From CSR to HTTPSโ
- โSSL for Beginners: Certificate Authorities, CSR, PEM, CRT, and acme.sh Explainedโ
๐งฉ Introduction: Why Are SSL Certificates Important?
SSL (Secure Socket Layer) or more accurately TLS (Transport Layer Security) certificates are digital certificates used to secure communication between a website and its visitors. They enable HTTPS, encrypting data in transit, protecting it from eavesdroppers, and establishing trust and security with users.
When a user sees a ๐ lock icon in their browser, it means:
- The website has a valid certificate.
- The identity of the server is verified.
- All communication is encrypted.
๐ข Certificate Authorities (CA) and How They Work
What is a Certificate Authority (CA)?
A Certificate Authority (CA) is a trusted organization that verifies your domain identity and issues digital certificates.
Popular CAs include:
- GoDaddy (Paid) โ Valid for 1 year
- Let’s Encrypt (Free) โ Valid for 90 days (auto-renewable)
CA Examples
| Certificate Authority | Type | Validity | Cost | Automation |
|---|---|---|---|---|
| GoDaddy | Paid | 1 Year | ๐ต Yes | Auto/manual |
| Let’s Encrypt | Free | 90 Days | โ Free | Auto/manual |
๐ Public & Private Key Concept
The security of SSL is based on public-key cryptography:
- Private Key (PEM): Stays secure on your server.
- Public Key (CSR): Sent to CA to request a certificate.
๐ SSL Certificate Issuance: Manual Flow Explained
Step-by-step Process:
- Generate a Private Key (PEM) using OpenSSL.
- Generate a Certificate Signing Request (CSR) using that PEM.
- Submit the CSR to a Certificate Authority (CA).
- CA verifies ownership and returns a .crt certificate file.
- You configure the web server (Apache, Nginx, etc.) with:
certificate.crtprivate.pem(your private key)
# Example: Generate PEM & CSR using OpenSSL
openssl genrsa -out private.pem 2048
openssl req -new -key private.pem -out domain.csr
Code language: PHP (php)๐ ๏ธ How to Set Up Let’s Encrypt with or without cPanel
Using cPanel (Auto)
Most modern hosting providers integrate Let’s Encrypt, allowing 1-click SSL and auto-renewal every 60โ80 days.
Check your cPanel under “SSL/TLS” or “Let’s Encrypt SSL” to activate.
Without cPanel (Manual โ acme.sh)
Letโs Encrypt also provides a manual option using acme.sh, a powerful shell script for managing SSL.
โ๏ธ Manual SSL with acme.sh โ Step-by-Step
โ
Step 1: Install acme.sh
curl https://get.acme.sh | sh
source ~/.bashrc
Code language: PHP (php)โ Step 2: Issue a Certificate
acme.sh --issue -d yourdomain.com -w /path/to/webroot
Replace
/path/to/webrootwith your actual document root directory.
โ Step 3: Install the Certificate
acme.sh --install-cert -d yourdomain.com \
--key-file /etc/ssl/private.pem \
--fullchain-file /etc/ssl/certificate.crt
Code language: PHP (php)๐ Renewal Instructions
Since Let’s Encrypt certs are valid for 90 days, renew regularly:
acme.sh --renew -d yourdomain.com --force
Code language: CSS (css)To automate it with cron (every month on 4th):
0 2 4 * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
Code language: JavaScript (javascript)๐ Bonus Tips
- Always back up your
private.pemandcertificate.crtfiles. - Reload your web server after applying new certificates:
sudo systemctl reload nginx # or apache2
๐ Conclusion
Whether you’re a developer, DevOps engineer, or system administrator, understanding how certificate authorities and SSL certificates work is essential to secure web traffic.
For ease and automation, use Let’s Encrypt + acme.sh. For extended validation or more control, go with GoDaddy or other paid CAs.
Iโm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals