Get your free SSL certificate in minutes

A TXT record is a small text entry in your domain's DNS. Beacon gives you two short values to add through your DNS provider's control panel; Let's Encrypt then looks them up to prove you control the domain. Once the certificate is issued you can delete them.

Yes. Beacon exposes the same flow over an MCP endpoint (POST /mcp) and a plain JSON API (POST /api/<tool_name>). Both surfaces share one tool registry, so an agent can create an order, check DNS propagation, validate, issue, and renew without driving the web UI.

Yes. Beacon issues certificates from Let's Encrypt, a free, automated certificate authority trusted by all major browsers and operating systems. The certificate you download works exactly like a paid one - visitors see the padlock, with no warnings.

The passphrase encrypts the certificate bundle you download so it can travel safely over the network and sit on your machine without exposing the private key. Pick anything at least 8 characters long. Beacon never stores it - you'll re-enter it on the server where you install the certificate.

A .p12 (PKCS#12) bundle holds your certificate, the intermediate chain, and your private key in one passphrase-protected file. nginx, Apache, IIS, macOS Keychain, and most other servers import it directly.

Your downloaded .p12 bundle imports directly into nginx, Apache, Caddy, IIS, macOS Keychain, and most other servers. You'll enter the passphrase you chose to unlock it on the machine where you install it.

No. Beacon issues a single certificate that covers your domain and its www. variant - nothing else. If you need a wildcard or many subdomains, use a tool like acme.sh or certbot.

Yes. Enter the full hostname, like app.example.com, and Beacon issues a certificate for it (plus its www. version). Beacon handles one hostname per request and doesn't do wildcards, so for many subdomains, run the flow for each or use a tool like certbot.

Let's Encrypt certificates are valid for 90 days. Beacon doesn't auto-renew - come back and run the flow again when it's time. To avoid tracking the date yourself, TLS Radar (free) watches your certificates and emails you well before they expire.

Set up TLS Radar, our free monitoring tool. It keeps an eye on every certificate you own and sends you an alert in plenty of time, so nothing expires by surprise. You can add this certificate in about a minute at tlsradar.com.

TLS Radar is our companion service for keeping certificates healthy after Beacon issues them. It monitors expiry dates, scans for misconfigurations and security issues, and sends alerts and weekly reports across all your domains. It has a free tier - see tlsradar.com.

Beacon issues one certificate at a time. To watch all of your certificates and domains in one place - with expiry alerts, security scans, and compliance reports - use TLS Radar. The free tier covers your first domains; paid plans add more domains and team features.

Only what's needed to drive the order: the domain, the email you entered, the DNS challenge values, and the order's state. Your private key is generated in memory at download time and never written to disk, logs, or the database.

No catch. Beacon is free and always will be. We also build TLS Radar, a paid SSL/TLS monitoring service with a generous free tier - Beacon is simply how we introduce ourselves. You're never required to sign up for anything to get your certificate.