# Backing up certificates

## Saving a certificate {#backup}

To save a certificate:
1. Get the certificate ID.

   {% list tabs group=instructions %}

   - Management console {#console}

     1. In the [management console](https://console.yandex.cloud), select the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) containing the certificate.
     1. Navigate to **Certificate Manager**.
     1. Copy the **ID** field data for the certificate you want to save.

   - CLI {#cli}

     If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

     The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

     1. View the description of the CLI command for getting a list of certificates:

        ```bash
        yc cm certificate list --help
        ```

     1. Run this command:

        ```bash
        yc cm certificate list
        ```

   - API {#api}

     To get the certificate ID, use the [list](../api-ref/Certificate/list.md) REST API method for the [Certificate](../api-ref/Certificate/index.md) resource or the [CertificateService/List](../api-ref/grpc/Certificate/list.md) gRPC API call.


   {% endlist %}

1. Get the certificate contents.

   {% list tabs group=instructions %}

   - CLI {#cli}

     If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

     The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

     1. View the description of the CLI command for getting certificate contents:

        ```bash
        yc cm certificate content --help
        ```

     1. Run this command:

        ```bash
        yc cm certificate content \
          --id <certificate_ID> \
          --chain <path_to_certificate_chain_file> \
          --key <path_to_private_key_file>
        ...
        ```

   - API {#api}

     To get the certificate contents, use the [get](../api-ref/CertificateContent/get.md) REST API method for the [CertificateContent](../api-ref/CertificateContent/index.md) resource or the [CertificateContentService/Get](../api-ref/grpc/CertificateContent/get.md) gRPC API call.

   {% endlist %}

   Put the resulting files in a secure long-term storage.
1. Repeat the steps for each certificate you want to back up.

## Restoring a certificate {#restore}

{% note info %}

You cannot restore an expired certificate.

{% endnote %}

To restore a user certificate from the certificate chain and key files:
1. Prepare the files with the certificate contents.
1. Import the certificate.

   {% list tabs group=instructions %}

   - Management console {#console}

     1. In the [management console](https://console.yandex.cloud), select the folder the certificate will be restored to.
     1. Navigate to **Certificate Manager**.
     1. Click **Add certificate**.
     1. In the menu that opens, select **User certificate**.
     1. In the window that opens, enter a name for your certificate in the **Name** field.
     1. Optionally, in the **Description** field, describe the certificate.
     1. In the **Intermediate certificate chain** field, click **Add chain**.
        1. Choose how to add it: `File`.
        1. Click **Attach file** and specify the certificate chain file.
        1. Click **Add**.
     1. In the **Private key** field, click **Add private key**.
        1. Choose how to add it: `File` or `Text`.
        1. Click **Attach file** and specify the private key file.
        1. Click **Add**.
     1. Click **Create**.

   - CLI {#cli}

     If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

     The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

     1. View the command description:

        ```bash
        yc cm certificate create --help
        ```

     1. Run this command:

        ```bash
        yc cm certificate create \
          --name <certificate_name> \
          --chain <path_to_certificate_chain_file> \
          --key <path_to_private_key_file>
        ...
        ```

   - API {#api}

     To import a certificate, use the [create](../api-ref/Certificate/create.md) REST API method for the [Certificate](../api-ref/Certificate/index.md) resource or the [CertificateService/Create](../api-ref/grpc/Certificate/create.md) gRPC API call.

   {% endlist %}

   The ID of the restored certificate will be different from the ID the certificate had upon saving.
1. Repeat the steps for each certificate you want to restore.

If you restore a saved [Let's Encrypt certificate](../concepts/managed-certificate.md), it becomes a [custom](../concepts/imported-certificate.md) one. To [renew](import/cert-update.md) this certificate, download its latest version yourself.

#### See also {#see-also}

* [Adding a custom certificate](import/cert-create.md)