Skip to content

Backgrounds

How-to Guides

Technical References

Install a custom TLS certificate

TLS certificates from Let’s Encrypt are available for domains on the VIP Platform by default, but provisioning custom TLS certificates from other certificate authorities is also an option. Custom TLS certificates require a Certificate Signing Request (CSR). A CSR can be generated by VIP or by the certificate authority generating the custom TLS certificates.

Prerequisite

Installing a TLS certificate for a domain in the VIP Dashboard requires a user to have at minimum an Org member role or an App write role for that application.

Requirements

  • Certificates must include both “www” and the root version of a hostname, so a SAN or wildcard certificate is recommended.
  • The maximum certificate length that can be accepted by VIP is 398 days.
  • Certificates must be in PEM format.
  • The certificate chain must include one or more trusted certificates (also known as “Intermediate certificates“) provided by a Certificate Authority (CA).
  • Trusted certificates are publicly available. If a trusted certificate is missing from a certificate chain, it can be retrieved from online tools such as KeyCDN.
  • A custom TLS certificate can be generated and installed before the DNS for a domain is pointed to VIP.

Custom certificates with a VIP CSR

A certificate signing request (CSR) from VIP is required in order to obtain a custom certificate from a Certificate Authority (CA). It contains the necessary information, plus VIP’s authorization, that the CA needs to process a certificate.

  1. Navigate to the VIP Dashboard and select the “Domains” panel option at the left.
  2. Add the domain by selecting the “+ Add Domain” button in the upper right if it does not yet appear in the Domains list.
  3. A button labeled “Install Certificate” will be displayed to the right of newly added domains in the Domains panel.
  4. Select the “Install Certificate” button to access and select the “Custom Certificate” option in the dropdown.
Screenshot of the Domains panel with the dropdown below “Install Certificate” displayed

Generate a Certificate Signing Request (CSR)

  1. Select the “Create New CSR” tab.
  2. Complete the requested information for each field and select “Generate CSR“.
Screenshot of the setting fields for the “Generate a Certificate Signing Request (CSR)” step

Create your certificate

Copy or download the generated CSR and provide the CSR to a Certificate Authority.

Screenshot of an example CSR generated in the “Create your certificate” step

Upload your certificate

Once the Certificate Authority has generated and provided a certificate and a chain of trusted certificates, resume the installation process.

  1. Navigate to the VIP Dashboard and select the “Domains” panel option at the left.
  2. A button labeled “Install Certificate” will be displayed to the right of newly added domains in the Domains panel.
  3. Select the “Install Certificate” button to access and select the “Custom Certificate” option in the dropdown.
Screenshot of example certificates pasted into the form fields for the “Upload your certificate” step.
  1. Paste the contents of the certificates in each form field (Certificate and Trusted Certificate(s)).
  2. Select “Continue“.
  3. Follow the instructions to “Activate a custom certificate” found below.

Custom TLS certificates with a non-VIP CSR

To install a custom TLS certificate for a domain with a non-VIP CSR, customers must have in their possession a complete certificate chain generated by a Certificate Authority. A complete certificate chain includes:

Install custom certificate

  1. Navigate to the VIP Dashboard and select the “Domains” panel option at the left.
  2. Add the domain by selecting the “+ Add Domain” button in the upper right if it does not yet appear in the Domains list.
  3. A button labeled “Install Certificate” will be displayed to the right of newly added domains in the Domains panel.
  4. Select the “Install Certificate” button to access and select the “Custom Certificate” option in the dropdown.
  5. Select the text “Have your own CSR and Private Key?” near the top of the screen.
Screenshot of the text Have your own CSR and Private Key?” near the top of the screen

Upload a certificate chain

  • Open the complete certificate chain files in a text editor.
  • A field exists for each of the four parts of the complete certificate chain. One at a time, copy the contents of a complete certificate chain file from the text editor and paste the contents into its corresponding field. Repeat for all four files.
  • Select “Upload“.

Activate a custom certificate

Choose your domains

After uploading a certificate chain:

  1. Click on the dropdown below the “Domains” label.
  2. Select the domain for which the new custom TLS certificate is being installed.
  3. Select “Activate Certificates“.
Screenshot of the “Choose your domains” step and the “Activate Certificates” button in the VIP Dashboard

Confirm the certificate is working

  • New TLS certificates may require up to 10 minutes to be enabled for a domain.
  • Use a free online TLS testing tool such as SSLShopper or DigiCert.
  • Browsers such as Firefox and Chrome provide tools for checking if a site’s connection is secure.

Switch from a custom TLS certificate to a Let’s Encrypt certificate

After a custom TLS certificate has been provisioned, it is possible to switch to a Let’s Encrypt TLS certificate at any time.

  1. Navigate to the VIP Dashboard and select the “Domains” panel option at the left.
  2. Click on the three dots (“···“) to the right of the domain.
  3. Select the “Install Let’s Encrypt” option from the dropdown.
  4. Follow the instructions for installing a Let’s Encrypt certificate.

Last updated: January 12, 2022