Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Adding a Let's Encrypt® certificate

Written by
Updated at May 5, 2026

You can only use a certificate from Certificate Manager in the specific Yandex Cloud services.

Adding a new certificate

  1. In the management console, select the folder to add your certificate to.

  2. Navigate to Certificate Manager.

  3. Click Add certificate.

  4. In the menu that opens, select Let's Encrypt certificate.

  5. In the window that opens, enter a name for your certificate in the Name field.

  6. Optionally, in the Description field, describe the certificate.

  7. In the Domains field, list the domains to issue a certificate for.

    Domain names may contain a mask, e.g., *.example.com. If so, select DNS as the type of domain rights check. For more information, see Domain rights check.

  8. Select the type of domain rights check: DNS or HTTP.

  9. Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the command description:

    yc certificate-manager certificate request --help

  2. Run this command:

    yc certificate-manager certificate request \
  --name mymanagedcert \
  --domains example.com

    Where:

    • --name: Certificate name
    • --domains: Certificate domains

    Result:

    id: fpq6gvvm6piu********
folder_id: b1g7gvsi89m3********
created_at: "2020-09-15T08:49:11.533771Z"
...
- example.com
status: VALIDATING
updated_at: "2020-09-15T08:49:11.533771Z"

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the Terraform configuration file, describe the resource you want to create:

    resource "yandex_cm_certificate" "le-certificate" {
  name    = "<certificate_name>"
  domains = ["<domain>"]

  managed {
  challenge_type = "<check_type>"
  }
}

    Where:

    • domains: List of domains you need to create a certificate for.
    • challenge_type: Type of domain rights check the domain owner should pass. The possible values are:
      • DNS_CNAME: Create a DNS record in CNAME format with the specified value. We recommend this method for automatic certificate renewal.
      • DNS_TXT: Create a DNS record in TXT format with the specified value.
      • HTTP: Place the specified value in the specified URL.

    For more information about the yandex_cm_certificate properties, see this Terraform provider guide.

  2. Create the resources:

    1. In the terminal, navigate to the configuration file directory.

    2. Make sure the configuration is correct using this command:

      terraform validate

      If the configuration is valid, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

    4. Apply the configuration changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

This will create a certificate in the specified folder. You can check the new certificate and its settings using the management console or this CLI command:

yc certificate-manager certificate get <certificate_name>

To add a certificate, use the requestNew REST API method for the Certificate resource or the CertificateService/RequestNew gRPC API call.

A new certificate with the Validating status will appear in the certificate list. This status means that a request for issuing a Let's Encrypt® certificate has been created. You need to pass your domain rights checks for the request to be processed.

Note

For a successful DNS domain rights check based on a CNAME record, make sure the _acme-challenge subdomain of the domain name you are checking has no other resource records except CNAME. For example, for the _acme-challenge.example.com. domain name, there should only be a CNAME record and no TXT record.

Viewing the certificate issue status

You can view the certificate issue status and possible issue errors in the management console:

  1. Navigate to Certificate Manager.

  2. Select the certificate from the list.

    You can find the certificate's current issue status next to the Validation field.

  3. To view the status description and outcome, click Show logs.

    For more information about the certificate issue statuses, see Let's Encrypt certificate.

See also

Previous
All guides
Next
Getting the contents of a certificate