Certes 3.0.4

dotnet add package Certes --version 3.0.4
NuGet\Install-Package Certes -Version 3.0.4
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Certes" Version="3.0.4" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add Certes --version 3.0.4
#r "nuget: Certes, 3.0.4"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install Certes as a Cake Addin
#addin nuget:?package=Certes&version=3.0.4

// Install Certes as a Cake Tool
#tool nuget:?package=Certes&version=3.0.4


Certes is an ACME client runs on .NET 4.5+ and .NET Standard 2.0+, supports ACME v2 and wildcard certificates. It is aimed to provide an easy to use API for managing certificates during deployment processes.


Install Certes nuget package into your project:

Install-Package Certes

or using .NET CLI:

dotnet add package Certes

Let's Encrypt is the primary CA we supported. It's recommend testing against staging environment before using production environment, to avoid hitting the rate limits.


Creating new ACME account:

var acme = new AcmeContext(WellKnownServers.LetsEncryptStagingV2);
var account = await acme.NewAccount("admin@example.com", true);

// Save the account key for later use
var pemKey = acme.AccountKey.ToPem();

Use an existing ACME account:

// Load the saved account key
var accountKey = KeyFactory.FromPem(pemKey);
var acme = new AcmeContext(WellKnownServers.LetsEncryptStagingV2, accountKey);
var account = await acme.Account();

See API doc for additional operations.


Place a wildcard certificate order (DNS validation is required for wildcard certificates)

var order = await acme.NewOrder(new[] { "*.your.domain.name" });

Generate the value for DNS TXT record

var authz = (await order.Authorizations()).First();
var dnsChallenge = await authz.Dns();
var dnsTxt = acme.AccountKey.DnsTxt(dnsChallenge.Token);

Add a DNS TXT record to _acme-challenge.your.domain.name with dnsTxt value.

For non-wildcard certificate, HTTP challenge is also available

var order = await acme.NewOrder(new[] { "your.domain.name" });


Get the token and key authorization string

var authz = (await order.Authorizations()).First();
var httpChallenge = await authz.Http();
var keyAuthz = httpChallenge.KeyAuthz;

Save the key authorization string in a text file, and upload it to http://your.domain.name/.well-known/acme-challenge/<token>


Ask the ACME server to validate our domain ownership

await challenge.Validate();


Download the certificate once validation is done

var privateKey = KeyFactory.NewKey(KeyAlgorithm.ES256);
var cert = await order.Generate(new CsrInfo
    CountryName = "CA",
    State = "Ontario",
    Locality = "Toronto",
    Organization = "Certes",
    OrganizationUnit = "Dev",
    CommonName = "your.domain.name",
}, privateKey);

Export full chain certification

var certPem = cert.ToPem();

Export PFX

var pfxBuilder = cert.ToPfx(privateKey);
var pfx = pfxBuilder.Build("my-cert", "abcd1234");

Check the APIs for more details.

For ACME v1, please see the doc here.


The CLI is available as a dotnet global tool. .NET Core Runtime 2.1+ is required to use dotnet tools.

To install Certes CLI (you may need to restart the console session if this is the first dotnet tool installed)

dotnet tool install --global dotnet-certes

See CLI usage, or simply use the --help option to get started

certes --help

Also check this AppVeyor script for renewing certificates on Azure apps.


We use SemVer for versioning. For the versions available, see the tags on this repository.

Also check the changelog to see what's we are working on.

CI Status

NuGet NuGet NuGet NuGet

AppVeyor AppVeyor codecov BCH compliance

Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 is compatible.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 was computed. 
.NET Framework net461 was computed.  net462 is compatible.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (29)

Showing the top 5 NuGet packages that depend on Certes:

Package Downloads

Provides API for configuring ASP.NET Core to automatically generate HTTPS certificates. This configures your server to use the ACME protocol to connect with a certificate authority (CA), such as Let's Encrypt (https://letsencrypt.org), to verify ownership of your domain name and generate a HTTPS certificate. This happens automatically when the server starts up, and will renew the certificate automatically when the expiration date is near. This only works with Kestrel, which is the default server configuration for ASP.NET Core projects. Other servers, such as IIS and nginx, are not supported.

FluffySpoon.AspNet.LetsEncrypt The ID prefix of this package has been reserved for one of the owners of this package by NuGet.org.

Package Description


Provides Middleware and services to request and store certificates from the Let's Encrypt service for ASP.NET Core applications


Package Description


ACME wrapper for the data exchange server.

GitHub repositories (8)

Showing the top 5 popular GitHub repositories that depend on Certes:

Repository Stars
Free, automatic HTTPS certificate generation for ASP.NET Core web apps
Azure Web App Site Extension for easy installation and configuration of Let's Encrypt issued SSL certifcates for custom domain names.
Exploring a new web architecture with React, Redux, Orleans and Dotnet Core
Version Downloads Last updated
3.0.4 191,790 1/4/2023
3.0.3 218,737 10/4/2021
3.0.0 115,519 7/18/2021
2.3.4 368,567 3/27/2020
2.3.3 355,629 12/17/2018
2.3.2 65,602 10/20/2018
2.3.1 1,818 10/16/2018
2.3.0 19,091 6/15/2018
2.2.2 2,350 5/31/2018
2.2.1 2,374 5/15/2018
2.2.0 3,117 5/5/2018
2.1.0 2,185 4/28/2018
2.0.1 2,945 3/17/2018
2.0.0 2,184 3/13/2018
1.1.4 2,882 3/4/2018
1.1.3 8,175 11/23/2017
1.1.2 3,909 9/28/2017
1.1.0 3,740 8/17/2017
1.0.7 8,907 7/20/2017 3,392 4/4/2017 2,158 3/29/2017 2,106 3/29/2017 2,157 12/22/2016 2,254 7/13/2016 2,240 7/6/2016 2,366 7/6/2016