Skip to content CA

ignoramous edited this page Nov 11, 2021 · 16 revisions
Clone this wiki locally

Using CA

ZeroSSL doesn't have rate limits. One can issue unlimited TLS/SSL certificate valid for 90 days (ref).

Note: Since v3, uses Zerossl as the default Certificate Authority (CA). Account registration (one-time) is required before one can issue new certs. See also:

1. Register your account.

1a. With an email address  --register-account  -m --server zerossl
1b. With EAB credentials

Alternatively, if you sign up for a ZeroSSL account, bootstrap with External Account Binding (EAB) credentials, like so:

  1. Generate your EAB credentials from
  2. Register your EAB credentials.  --register-account  --server zerossl \
        --eab-kid  xxxxxxxxxxxx  \
        --eab-hmac-key  xxxxxxxxx

Users with a ZeroSSL account can manage issued certificates from developer console.

2. Issue certificates

Use with --server zerossl: --server zerossl  \
     --issue  -d \
     --dns dns_cf

If you don't want to specify --server zerossl every time you issue a cert, you can set zerossl as the default CA: --set-default-ca  --server zerossl


Issue any cert from zerossl without having to specify --server: --issue -d --dns dns_cf

3. Troubleshooting

Le_OrderFinalize: A KeyID must be specified

If certificate issuance fails and you see something like this in the logs

[XYZ 18 09:50:07 -02 2020] Create new order error. Le_OrderFinalize not found. 
{"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"A Key ID MUST be specified"}

then, re-generate your EAB credentials (refer step #2) and re-run certificate issuance. See: