diff --git a/config/initializers/01_secret_token.rb b/config/initializers/01_secret_token.rb
index 02bded43083534cb858d37ce4ab8cf000658ae42..4328ca509ba55db39ec73e5b6f2fcc4101411014 100644
--- a/config/initializers/01_secret_token.rb
+++ b/config/initializers/01_secret_token.rb
@@ -28,7 +28,8 @@ def create_tokens
     secret_key_base: file_secret_key || generate_new_secure_token,
     otp_key_base: env_secret_key || file_secret_key || generate_new_secure_token,
     db_key_base: generate_new_secure_token,
-    openid_connect_signing_key: generate_new_rsa_private_key
+    openid_connect_signing_key: generate_new_rsa_private_key,
+    lets_encrypt_private_key: generate_lets_encrypt_private_key
   }
 
   missing_secrets = set_missing_keys(defaults)
@@ -49,6 +50,10 @@ def generate_new_rsa_private_key
   OpenSSL::PKey::RSA.new(2048).to_pem
 end
 
+def generate_lets_encrypt_private_key
+  OpenSSL::PKey::RSA.new(4096).to_pem
+end
+
 def warn_missing_secret(secret)
   warn "Missing Rails.application.secrets.#{secret} for #{Rails.env} environment. The secret will be generated and stored in config/secrets.yml."
 end
diff --git a/spec/initializers/secret_token_spec.rb b/spec/initializers/secret_token_spec.rb
index 726ce07a2d1563288b33cf6c611aee8617830464..77bc28a6b07516681381fdf57a423d2c1f254017 100644
--- a/spec/initializers/secret_token_spec.rb
+++ b/spec/initializers/secret_token_spec.rb
@@ -45,11 +45,21 @@ describe 'create_tokens' do
         expect(keys).to all(match(RSA_KEY))
       end
 
+      it "generates private key for Let's Encrypt" do
+        create_tokens
+
+        keys = secrets.values_at(:lets_encrypt_private_key)
+
+        expect(keys.uniq).to eq(keys)
+        expect(keys).to all(match(RSA_KEY))
+      end
+
       it 'warns about the secrets to add to secrets.yml' do
         expect(self).to receive(:warn_missing_secret).with('secret_key_base')
         expect(self).to receive(:warn_missing_secret).with('otp_key_base')
         expect(self).to receive(:warn_missing_secret).with('db_key_base')
         expect(self).to receive(:warn_missing_secret).with('openid_connect_signing_key')
+        expect(self).to receive(:warn_missing_secret).with('lets_encrypt_private_key')
 
         create_tokens
       end
@@ -78,6 +88,7 @@ describe 'create_tokens' do
       before do
         secrets.db_key_base = 'db_key_base'
         secrets.openid_connect_signing_key = 'openid_connect_signing_key'
+        secrets.lets_encrypt_private_key = 'lets_encrypt_private_key'
 
         allow(File).to receive(:exist?).with('.secret').and_return(true)
         allow(File).to receive(:read).with('.secret').and_return('file_key')