Contact UsGet started

Getting started with Certificate Manager

Written by
Improved by
Updated at April 22, 2025

By following this guide, you will add your first Let's Encrypt certificate to Certificate Manager and use it to set up HTTPS access to a static website hosted in Yandex Object Storage.

Getting started

To get started with Certificate Manager, you need:

  1. Folder in Yandex Cloud. If there is no folder yet, create one:

    1. In the management console, select the appropriate cloud from the list on the left.

    2. At the top right, click Create folder.

    3. Give your folder a name. The naming requirements are as follows:

      • It must be from 2 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    4. Optionally, specify the description for your folder.

    5. Select Create a default network. This will create a network with subnets in each availability zone. Within this network, you will also have a default security group, inside which all network traffic will be allowed.

    6. Click Create.

  2. Third-level (or higher) domain that the Let's Encrypt certificate is issued for.

    Note

    To pass the domain rights check, you must have the management access to the domain.

  3. Public bucket in Object Storage with exactly the same name as the domain. If you do not have a bucket yet, create one:

    1. In the management console, select the folder you want to create a bucket in.
    2. Select Object Storage.
    3. Click Create bucket.
    4. Enter exactly the same name for the bucket as the domain name.
    5. Select the Public access type.
    6. Select the default storage class.
    7. Click Create bucket to complete the operation.

  4. Set up hosting in your bucket:

    1. In the management console, select Object Storage.
    2. On the Buckets tab, click the bucket with the same name as the domain.
    3. In the left-hand panel, select Settings.
    4. Open the Website tab.
    5. Select Hosting and specify the website's homepage.
    6. Click Save to complete the operation.

  5. Set up an alias for the bucket through your DNS provider or on your own DNS server.

    For instance, for the www.example.com domain, add the following record:

    www.example.com CNAME www.example.com.website.yandexcloud.net

  6. Install and configure the AWS CLI by following this guide.

Create a request for a Let's Encrypt certificate

  1. Go to the management console.
  2. Select Certificate Manager.
  3. Click Add certificate.
  4. In the menu that opens, select Let's Encrypt certificate.
  5. In the window that opens, enter a name for the certificate.
  6. (Optional) Add a description for the certificate.
  7. In the Domains field, specify the domains you want to issue the certificate for.
  8. Select the domain rights check type for HTTP.
  9. Click Create.

Passing the domain rights check

Creating a check file

  1. In the management console, select Certificate Manager.
  2. Select a certificate with the Validating status in the list and click it.
  3. Under Check rights for domains:
    1. Copy the URL from the Link for hosting file field:
      • The http://example.com/.well-known/acme-challenge/ part of the link is the file path.
      • The second part, rG1Mm1bJ..., is the file name you should use.
    2. Copy the Contents field to the file.

Uploading the file and performing the check

  1. In the management console, select Object Storage.

  2. On the Buckets tab, click the bucket with the same name as the domain.

  3. At the top right, click Create folder and create a directory named .well-known.

  4. Under .well-known, create the acme-challenge directory.

  5. In acme-challenge, click Upload.

  6. In the window that opens, select the file with a record and click Open.

  7. Click Upload.

  8. Wait until the certificate's status changes to Issued.

    For more information on the status, see the certificate page. To do this, click Viewing logs next to Validation.

  9. Go to acme-challenge.

  10. Click to the right of the file and select Delete.

  11. Confirm the deletion.

  1. Upload your file to the bucket so that it resides in the .well-known/acme-challenge subdirectory:

    aws --endpoint-url=https://storage.yandexcloud.net \
  s3 cp <file_name> s3://<bucket_name>/.well-known/acme-challenge/<file_name>

  2. Wait until the certificate's status changes to Issued.

  3. Delete the file you created from the bucket:

    aws --endpoint-url=https://storage.yandexcloud.net \
   s3 rm s3://<bucket_name>/.well-known/acme-challenge/<file_name>

Warning

To renew a certificate, you have to perform certain actions. Keep track of the lifecycle of your certificates to renew them on time. For more information, see Renew a certificate.

Set up static website access over HTTPS

  1. Log in to the management console.
  2. Select Object Storage.
  3. On the Buckets tab, click the bucket with the same name as the domain.
  4. In the left-hand panel, select Security.
  5. Go to the HTTPS tab.
  6. Click Configure at the top right.
  7. In the Source field, select Certificate Manager.
  8. In the Certificate field, select the certificate from the list that opens.
  9. Click Save.

See also

Next
All guides