Here’s a well-structured and comprehensive tutorial based on your notes, with added explanations, examples, and a professional tone suitable for blog publication or internal documentation.

---

📜 SSL/TLS Website Certification: How It Works and How to Set It Up & Renew with acme.sh

🔖 Suggested Titles

• “How SSL/TLS Certificates Work: Setup & Manual Renewal using acme.sh”
• “The Ultimate Guide to Website Certificates: From CSR to HTTPS”
• “SSL for Beginners: Certificate Authorities, CSR, PEM, CRT, and acme.sh Explained”

---

🧩 Introduction: Why Are SSL Certificates Important?

SSL (Secure Socket Layer) or more accurately TLS (Transport Layer Security) certificates are digital certificates used to secure communication between a website and its visitors. They enable HTTPS, encrypting data in transit, protecting it from eavesdroppers, and establishing trust and security with users.

When a user sees a 🔒 lock icon in their browser, it means:

• The website has a valid certificate.
• The identity of the server is verified.
• All communication is encrypted.

---

🏢 Certificate Authorities (CA) and How They Work

What is a Certificate Authority (CA)?

A Certificate Authority (CA) is a trusted organization that verifies your domain identity and issues digital certificates.

Popular CAs include:

• GoDaddy (Paid) – Valid for 1 year
• Let’s Encrypt (Free) – Valid for 90 days (auto-renewable)

CA Examples

Certificate Authority	Type	Validity	Cost	Automation
GoDaddy	Paid	1 Year	💵 Yes	Auto/manual
Let’s Encrypt	Free	90 Days	❌ Free	Auto/manual

---

🔐 Public & Private Key Concept

The security of SSL is based on public-key cryptography:

• Private Key (PEM): Stays secure on your server.
• Public Key (CSR): Sent to CA to request a certificate.

---

🔄 SSL Certificate Issuance: Manual Flow Explained

Step-by-step Process:

1. Generate a Private Key (PEM) using OpenSSL.
2. Generate a Certificate Signing Request (CSR) using that PEM.
3. Submit the CSR to a Certificate Authority (CA).
4. CA verifies ownership and returns a .crt certificate file.
5. You configure the web server (Apache, Nginx, etc.) with:
   • certificate.crt
   • private.pem (your private key)

# Example: Generate PEM & CSR using OpenSSL
openssl genrsa -out private.pem 2048
openssl req -new -key private.pem -out domain.csr

---

🛠️ How to Set Up Let’s Encrypt with or without cPanel

Using cPanel (Auto)

Most modern hosting providers integrate Let’s Encrypt, allowing 1-click SSL and auto-renewal every 60–80 days.

Check your cPanel under “SSL/TLS” or “Let’s Encrypt SSL” to activate.

---

Without cPanel (Manual – acme.sh)

Let’s Encrypt also provides a manual option using acme.sh, a powerful shell script for managing SSL.

---

⚙️ Manual SSL with acme.sh — Step-by-Step

✅ Step 1: Install acme.sh

curl https://get.acme.sh | sh
source ~/.bashrc

✅ Step 2: Issue a Certificate

acme.sh --issue -d yourdomain.com -w /path/to/webroot

Replace /path/to/webroot with your actual document root directory.

✅ Step 3: Install the Certificate

acme.sh --install-cert -d yourdomain.com \
--key-file /etc/ssl/private.pem \
--fullchain-file /etc/ssl/certificate.crt

---

🔁 Renewal Instructions

Since Let’s Encrypt certs are valid for 90 days, renew regularly:

acme.sh --renew -d yourdomain.com --force

To automate it with cron (every month on 4th):

0 2 4 * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

---

🔍 Bonus Tips

• Always back up your private.pem and certificate.crt files.
• Reload your web server after applying new certificates: sudo systemctl reload nginx # or apache2

---

📌 Conclusion

Whether you’re a developer, DevOps engineer, or system administrator, understanding how certificate authorities and SSL certificates work is essential to secure web traffic.

For ease and automation, use Let’s Encrypt + acme.sh. For extended validation or more control, go with GoDaddy or other paid CAs.

---