GetHTTPS is a browser-based ACME client that issues free HTTPS certificates from Let’s Encrypt — without any server-side component.
The architecture
Traditional ACME clients like certbot and acme.sh run on your server. They need shell access, root permissions, and often a cron job to renew certificates.
GetHTTPS takes a different approach: everything runs in your browser tab. Your private key is generated locally with the Web Crypto API and never leaves the page.
How the flow works
-
Account key generation — A P-256 ECDSA key pair is created in-browser using
crypto.subtle.generateKey(). This key identifies your ACME account. -
Account registration — The public key is registered with Let’s Encrypt’s ACME API. Each request is signed with JWS (JSON Web Signature).
-
Order creation — You specify which hostnames the certificate should cover. Let’s Encrypt returns a set of challenges.
-
Challenge completion — For each hostname, you complete either an HTTP-01 challenge (place a file on your server) or a DNS-01 challenge (add a TXT record).
-
Pre-check verification — Before submitting to Let’s Encrypt, GetHTTPS checks your challenge configuration from the public internet. This catches typos before they burn a rate limit attempt.
-
Certificate issuance — Once challenges pass, a separate certificate key pair is generated, a CSR (Certificate Signing Request) is built, and the order is finalized. Let’s Encrypt returns the signed certificate chain.
-
Download — You download
privkey.pem,cert.pem,chain.pem, andfullchain.pemand deploy them to your server.
Security model
GetHTTPS is designed so that even we can’t access your private keys.
Private keys never leave the browser
Every key — account key and certificate key — is generated using the browser’s Web Crypto API (crypto.subtle.generateKey()). The key material exists only in JavaScript memory within your tab. It’s never serialized to disk, never sent over the network, and never accessible to gethttps.com.
When you click “Download”, the PEM file is created client-side with URL.createObjectURL() and handed to you as a download. The file goes from memory to your filesystem — it never touches our servers.
No backend, no proxy
Traditional certificate tools run a server-side process. That means your private key exists on a server you might not control.
GetHTTPS has no backend. The site is static HTML, CSS, and JavaScript. Your browser makes ACME requests directly to acme-v02.api.letsencrypt.org. We don’t proxy, inspect, or log these requests.
What we do and don’t see
| We see | We don’t see | |
|---|---|---|
| Your private keys | ✗ | ✓ (browser only) |
| Your domains | ✗ | ✓ (sent to Let’s Encrypt directly) |
| ACME requests | ✗ | ✓ (browser → Let’s Encrypt) |
| Challenge tokens | ✗ | ✓ (generated in-browser) |
| Your email | ✗ | ✓ (sent to Let’s Encrypt only) |
DNS pre-checks
For challenge verification, GetHTTPS queries public DNS resolvers (via Google’s DNS-over-HTTPS API). These queries contain only the domain name and expected TXT record — no private data.
Threat model
What we protect against:
- Key theft via server compromise (no server to compromise)
- Man-in-the-middle on key material (keys never leave the tab)
- Data harvesting (no analytics by default, no backend logging)
What we don’t protect against:
- A compromised browser (if your browser is compromised, all bets are off)
- A compromised DNS provider (if an attacker controls your DNS, they can issue certificates via DNS-01)
- Browser extensions that can read page memory
What about renewals?
Let’s Encrypt certificates are valid for 90 days. To renew, come back and run through the same flow. Your account key (if saved) will be recognized, so you don’t need to re-register.
For automated renewals, consider a server-side client like certbot. GetHTTPS is designed for manual, one-time issuance where you want full control and transparency.