Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Certificate Manager
  • Getting started
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes
  • FAQ

In this article:

  • Getting started
  • Create a request for a Let's Encrypt certificate
  • Passing the domain rights check
  • Creating a check file
  • Uploading the file and performing the check
  • Set up static website access over HTTPS

Getting started with Certificate Manager

Written by
Yandex Cloud
Improved by
Danila N.
Updated at April 22, 2025
  • Getting started
  • Create a request for a Let's Encrypt certificate
  • Passing the domain rights check
    • Creating a check file
    • Uploading the file and performing the check
  • Set up static website access over HTTPS

By following this guide, you will add your first Let's Encrypt certificate to Certificate Manager and use it to set up HTTPS access to a static website hosted in Yandex Object Storage.

Getting startedGetting started

To get started with Certificate Manager, you need:

  1. Folder in Yandex Cloud. If there is no folder yet, create one:

    1. In the management console, select the appropriate cloud from the list on the left.

    2. At the top right, click Create folder.

    3. Give your folder a name. The naming requirements are as follows:

      • It must be from 2 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.
    4. Optionally, specify the description for your folder.

    5. Select Create a default network. This will create a network with subnets in each availability zone. Within this network, you will also have a default security group, inside which all network traffic will be allowed.

    6. Click Create.

  2. Third-level (or higher) domain that the Let's Encrypt certificate is issued for.

    Note

    To pass the domain rights check, you must have the management access to the domain.

  3. Public bucket in Object Storage with exactly the same name as the domain. If you do not have a bucket yet, create one:

    Management console
    1. In the management console, select the folder you want to create a bucket in.
    2. Select Object Storage.
    3. Click Create bucket.
    4. Enter exactly the same name for the bucket as the domain name.
    5. Select the Public access type.
    6. Select the default storage class.
    7. Click Create bucket to complete the operation.
  4. Set up hosting in your bucket:

    Management console
    1. In the management console, select Object Storage.
    2. On the Buckets tab, click the bucket with the same name as the domain.
    3. In the left-hand panel, select Settings.
    4. Open the Website tab.
    5. Select Hosting and specify the website's homepage.
    6. Click Save to complete the operation.
  5. Set up an alias for the bucket through your DNS provider or on your own DNS server.

    For instance, for the www.example.com domain, add the following record:

    www.example.com CNAME www.example.com.website.yandexcloud.net
    
  6. Install and configure the AWS CLI by following this guide.

Create a request for a Let's Encrypt certificateCreate a request for a Let's Encrypt certificate

Management console
  1. Go to the management console.
  2. Select Certificate Manager.
  3. Click Add certificate.
  4. In the menu that opens, select Let's Encrypt certificate.
  5. In the window that opens, enter a name for the certificate.
  6. (Optional) Add a description for the certificate.
  7. In the Domains field, specify the domains you want to issue the certificate for.
  8. Select the domain rights check type for HTTP.
  9. Click Create.

Passing the domain rights checkPassing the domain rights check

Creating a check fileCreating a check file

Management console
  1. In the management console, select Certificate Manager.
  2. Select a certificate with the Validating status in the list and click it.
  3. Under Check rights for domains:
    1. Copy the URL from the Link for hosting file field:
      • The http://example.com/.well-known/acme-challenge/ part of the link is the file path.
      • The second part, rG1Mm1bJ..., is the file name you should use.
    2. Copy the Contents field to the file.

Uploading the file and performing the checkUploading the file and performing the check

Management console
AWS CLI
  1. In the management console, select Object Storage.

  2. On the Buckets tab, click the bucket with the same name as the domain.

  3. At the top right, click Create folder and create a directory named .well-known.

  4. Under .well-known, create the acme-challenge directory.

  5. In acme-challenge, click Upload.

  6. In the window that opens, select the file with a record and click Open.

  7. Click Upload.

  8. Wait until the certificate's status changes to Issued.

    For more information on the status, see the certificate page. To do this, click Viewing logs next to Validation.

  9. Go to acme-challenge.

  10. Click to the right of the file and select Delete.

  11. Confirm the deletion.

  1. Upload your file to the bucket so that it resides in the .well-known/acme-challenge subdirectory:

    aws --endpoint-url=https://storage.yandexcloud.net \
      s3 cp <file_name> s3://<bucket_name>/.well-known/acme-challenge/<file_name>
    
  2. Wait until the certificate's status changes to Issued.

  3. Delete the file you created from the bucket:

    aws --endpoint-url=https://storage.yandexcloud.net \
       s3 rm s3://<bucket_name>/.well-known/acme-challenge/<file_name>
    

Warning

To renew a certificate, you have to perform certain actions. Keep track of the lifecycle of your certificates to renew them on time. For more information, see Renew a certificate.

Set up static website access over HTTPSSet up static website access over HTTPS

Management console
  1. Log in to the management console.
  2. Select Object Storage.
  3. On the Buckets tab, click the bucket with the same name as the domain.
  4. In the left-hand panel, select Security.
  5. Go to the HTTPS tab.
  6. Click Configure at the top right.
  7. In the Source field, select Certificate Manager.
  8. In the Certificate field, select the certificate from the list that opens.
  9. Click Save.

See alsoSee also

  • Certificate from Let's Encrypt
  • Checking rights for a domain
  • Set up HTTPS in a bucket

Was the article helpful?

Next
All guides
Yandex project
© 2025 Yandex.Cloud LLC