{"id":49299,"date":"2025-05-06T11:56:38","date_gmt":"2025-05-06T11:56:38","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=49299"},"modified":"2025-05-06T11:56:38","modified_gmt":"2025-05-06T11:56:38","slug":"how-ssl-tls-certificates-work-setup-manual-renewal-using-acme-sh","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/how-ssl-tls-certificates-work-setup-manual-renewal-using-acme-sh\/","title":{"rendered":"How SSL\/TLS Certificates Work: Setup &amp; Manual Renewal using acme.sh"},"content":{"rendered":"\n<p>Here&#8217;s a well-structured and comprehensive tutorial based on your notes, with added explanations, examples, and a professional tone suitable for blog publication or internal documentation.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udcdc <strong>SSL\/TLS Website Certification: How It Works and How to Set It Up &amp; Renew with acme.sh<\/strong><\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd16 Suggested Titles<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u201cHow SSL\/TLS Certificates Work: Setup &amp; Manual Renewal using acme.sh\u201d<\/strong><\/li>\n\n\n\n<li><strong>\u201cThe Ultimate Guide to Website Certificates: From CSR to HTTPS\u201d<\/strong><\/li>\n\n\n\n<li><strong>\u201cSSL for Beginners: Certificate Authorities, CSR, PEM, CRT, and acme.sh Explained\u201d<\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83e\udde9 Introduction: Why Are SSL Certificates Important?<\/h2>\n\n\n\n<p>SSL (Secure Socket Layer) or more accurately TLS (Transport Layer Security) certificates are digital certificates used to secure communication between a website and its visitors. They enable <strong>HTTPS<\/strong>, encrypting data in transit, protecting it from eavesdroppers, and establishing <strong>trust and security<\/strong> with users.<\/p>\n\n\n\n<p>When a user sees a \ud83d\udd12 lock icon in their browser, it means:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The website has a valid certificate.<\/li>\n\n\n\n<li>The identity of the server is verified.<\/li>\n\n\n\n<li>All communication is encrypted.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83c\udfe2 Certificate Authorities (CA) and How They Work<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What is a Certificate Authority (CA)?<\/h3>\n\n\n\n<p>A <strong>Certificate Authority (CA)<\/strong> is a trusted organization that verifies your domain identity and issues digital certificates.<\/p>\n\n\n\n<p>Popular CAs include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>GoDaddy (Paid)<\/strong> \u2013 Valid for <strong>1 year<\/strong><\/li>\n\n\n\n<li><strong>Let&#8217;s Encrypt (Free)<\/strong> \u2013 Valid for <strong>90 days<\/strong> (auto-renewable)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CA Examples<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Certificate Authority<\/th><th>Type<\/th><th>Validity<\/th><th>Cost<\/th><th>Automation<\/th><\/tr><\/thead><tbody><tr><td>GoDaddy<\/td><td>Paid<\/td><td>1 Year<\/td><td>\ud83d\udcb5 Yes<\/td><td>Auto\/manual<\/td><\/tr><tr><td>Let&#8217;s Encrypt<\/td><td>Free<\/td><td>90 Days<\/td><td>\u274c Free<\/td><td>Auto\/manual<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd10 Public &amp; Private Key Concept<\/h2>\n\n\n\n<p>The security of SSL is based on <strong>public-key cryptography<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Private Key (PEM)<\/strong>: Stays secure on your server.<\/li>\n\n\n\n<li><strong>Public Key (CSR)<\/strong>: Sent to CA to request a certificate.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd04 SSL Certificate Issuance: Manual Flow Explained<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Step-by-step Process:<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Generate a Private Key (PEM)<\/strong> using OpenSSL.<\/li>\n\n\n\n<li><strong>Generate a Certificate Signing Request (CSR)<\/strong> using that PEM.<\/li>\n\n\n\n<li><strong>Submit the CSR<\/strong> to a Certificate Authority (CA).<\/li>\n\n\n\n<li><strong>CA verifies ownership<\/strong> and returns a <strong>.crt certificate file<\/strong>.<\/li>\n\n\n\n<li>You <strong>configure the web server<\/strong> (Apache, Nginx, etc.) with:\n<ul class=\"wp-block-list\">\n<li><code>certificate.crt<\/code><\/li>\n\n\n\n<li><code>private.pem<\/code> (your private key)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-comment\"># Example: Generate PEM &amp; CSR using OpenSSL<\/span>\nopenssl genrsa -out <span class=\"hljs-keyword\">private<\/span>.pem <span class=\"hljs-number\">2048<\/span>\nopenssl req -<span class=\"hljs-keyword\">new<\/span> -key <span class=\"hljs-keyword\">private<\/span>.pem -out domain.csr\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udee0\ufe0f How to Set Up Let&#8217;s Encrypt with or without cPanel<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Using cPanel (Auto)<\/h3>\n\n\n\n<p>Most modern hosting providers integrate Let&#8217;s Encrypt, allowing <strong>1-click SSL<\/strong> and <strong>auto-renewal<\/strong> every 60\u201380 days.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Check your cPanel under <strong>&#8220;SSL\/TLS&#8221;<\/strong> or <strong>&#8220;Let&#8217;s Encrypt SSL&#8221;<\/strong> to activate.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Without cPanel (Manual \u2013 acme.sh)<\/h3>\n\n\n\n<p>Let\u2019s Encrypt also provides a manual option using <code>acme.sh<\/code>, a powerful shell script for managing SSL.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2699\ufe0f Manual SSL with acme.sh \u2014 Step-by-Step<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Step 1: Install <code>acme.sh<\/code><\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">curl https:<span class=\"hljs-comment\">\/\/get.acme.sh | sh<\/span>\nsource ~\/.bashrc\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">\u2705 Step 2: Issue a Certificate<\/h3>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">acme.sh --issue -d yourdomain.com -w \/path\/to\/webroot\n<\/code><\/span><\/pre>\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Replace <code>\/path\/to\/webroot<\/code> with your actual document root directory.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Step 3: Install the Certificate<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">acme.sh --install-cert -d yourdomain.com \\\n--key-file \/etc\/ssl\/<span class=\"hljs-keyword\">private<\/span>.pem \\\n--fullchain-file \/etc\/ssl\/certificate.crt\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd01 Renewal Instructions<\/h3>\n\n\n\n<p>Since Let&#8217;s Encrypt certs are valid for 90 days, renew regularly:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">acme<\/span><span class=\"hljs-selector-class\">.sh<\/span> <span class=\"hljs-selector-tag\">--renew<\/span> <span class=\"hljs-selector-tag\">-d<\/span> <span class=\"hljs-selector-tag\">yourdomain<\/span><span class=\"hljs-selector-class\">.com<\/span> <span class=\"hljs-selector-tag\">--force<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>To automate it with cron (every month on 4th):<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\"><span class=\"hljs-number\">0<\/span> <span class=\"hljs-number\">2<\/span> <span class=\"hljs-number\">4<\/span> * * <span class=\"hljs-string\">\"\/root\/.acme.sh\"<\/span>\/acme.sh --cron --home <span class=\"hljs-string\">\"\/root\/.acme.sh\"<\/span> &gt; <span class=\"hljs-regexp\">\/dev\/<\/span><span class=\"hljs-literal\">null<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd0d Bonus Tips<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Always back up your <code>private.pem<\/code> and <code>certificate.crt<\/code> files.<\/li>\n\n\n\n<li>Reload your web server after applying new certificates: <code>sudo systemctl reload nginx # or apache2<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udccc Conclusion<\/h2>\n\n\n\n<p>Whether you&#8217;re a developer, DevOps engineer, or system administrator, understanding how certificate authorities and SSL certificates work is essential to secure web traffic.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>For ease and automation, use <strong>Let&#8217;s Encrypt + acme.sh<\/strong>. For extended validation or more control, go with <strong>GoDaddy or other paid CAs<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here&#8217;s a well-structured and comprehensive tutorial based on your notes, with added explanations, examples, and a professional tone suitable for blog publication or internal documentation. \ud83d\udcdc SSL\/TLS Website Certification: How&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-49299","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49299","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=49299"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49299\/revisions"}],"predecessor-version":[{"id":49300,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49299\/revisions\/49300"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=49299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=49299"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=49299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}