To request a new certificate, follow the steps below in the LoadMaster UI:

  1. In the main menu, go to Certificates & Security > ACME Certificates.
  2. Click Request New Certificate to request a new certificate from the Let's Encrypt CA.
    Note: All fields on the Request a New Certificate screen are optional except for Certificate Identifier and Common Name (and you must select a Virtual Service next to the Common Name field). Wildcard certificates are also supported. For further details, refer to the following section: Request a Wildcard Certificate.
  3. Enter the unique identifier for your certificate in the Certificate Identifier field.
    Note: The Certificate Identifier value must be unique for all certificates on the LoadMaster.
  4. Enter the Fully Qualified Domain Name (FQDN) of your web server in the Common Name field. The FDQN name is case-insensitive.
    Note: Certificates are only issued to valid hosting domains that you have control over.
  5. Select the Virtual Service that is used for this domain. This will be used for the validation challenge to prove ownership of the domain.
    Note: A HTTP/HTTPS Layer 7 Virtual Service must be already configured with the ability to add a SubVS (so it should not have any Real Servers added to the parent Virtual Service - but if there are existing SubVSs they can have Real Servers attached). For instructions on how to convert an existing Virtual Service with Real Servers attached to one with SubVSs with Real Servers attached, refer to the Convert a Virtual Service with Real Servers to one with SubVSs section.A HTTP Redirect VS must be configured to redirect all port 80 requests to 443 because Let's Encrypt communicates on port 80 to perform the HTTP-01 challenge.All valid Virtual Services that meet the criteria are listed in the drop-down list.
  6. Optional: Enter the 2 Letter Country Code that should be included in the certificate.
    Note: If using Let's Encrypt, the 2 Letter Country Code to Email Address fields are truncated.
    Note: For a list of valid country codes, refer to the following page: SSL Certificate Country Codes.
  7. Optional: Enter the State/Province that should be included in the certificate.
    Note: Enter the full name, for example New York (not NY).
  8. Optional: Enter the City that should be included in the certificate.
  9. Optional: Enter the name of the Company that should be included in the certificate.
  10. Optional: Enter the department or organizational unit that should be included in the certificate in the Organization field.
  11. Optional: Enter the Email Address of the person or organization that should be contacted regarding this certificate.
  12. Optional: Enable or disable the Generate Elliptic Curve Request check box.
    Note: If this is enabled, an Elliptic Curve request is generated instead of an RSA request.
  13. Optional: Select the key algorithm size from the Key Size drop-down list.
    Note: If you are generating an Elliptic Curve (EC) request, the Key Size drop-down is grayed out. The default size of 256 Bits is used for EC requests.If you are generating an RSA request, you can specify the Key Size.
  14. Optional: Enter the Subject Alternate Name (SAN) in the SAN/UCC Names field.
    Note: This must be a valid domain.Up to 10 SANs can be specified.
  15. Optional: Select the relevant Virtual Service.
    Note: For every SAN you must select a HTTP/HTTPS Layer 7 Virtual Service (you can use the same Virtual Service). For each SAN you must prove your authority to the Let's Encrypt server. A HTTP/HTTPS Virtual Service must be already configured with the ability to add a SubVS (so it should not have any Real Servers added to the parent Virtual Service - but if there are existing SubVSs they can have Real Servers attached). For instructions on how to convert an existing Virtual Service with Real Servers attached to one with SubVSs with Real Servers attached, refer to the Convert a Virtual Service with Real Servers to one with SubVSs section.All valid Virtual Services that meet the criteria are listed in the drop-down list.
  16. Click Request Certificate.

A list of issued certificates and related details are displayed at the bottom of the Let's Encrypt Certs screen. The HTTP Challenge VS(s) column lists the Virtual Service (or Services) that were used for the HTTP challenge. These are not the Virtual Services that the certificates are assigned to.

Once the certificate is issued successfully, it will be listed in Certificates & Security > SSL Certificates. You can then assign it to any HTTPS Virtual Service or use it as an administrative certificate.

Note: When manually assigning a new certificate to a Virtual Service for the first time, the Virtual Service will restart so we recommend doing this outside of working hours.

When Let's Encrypt certificates are renewed, the Virtual Services that have the certificate assigned will be automatically updated with the renewed certificate.

Note: Automatic renewal and updating of certificates is seamless and does not affect Virtual Service traffic.

Certificates are automatically renewed at the number of days specified in the Renew Period before the expiry date of each certificate. You can manually renew the certificate by clicking Renew Certificate.

You can also delete a certificate associated with the domain by clicking Delete Certificate.

Note: If the certificate is used (for example if it is assigned in a Virtual Service or used as an administrative certificate) the Delete Certificate button is grayed out.

You cannot delete or replace Let's Encrypt certificates from the SSL Certificates screen. You can only delete or replace Let's Encrypt certificates from the Let's Encrypt Certs screen. The Replace Certificate and Delete Certificate buttons are grayed out on the SSL Certificates screen for Let's Encrypt certificates.