Install a custom TLS certificate

TLS certificates from Let’s Encrypt are available for domains on the VIP Platform by default, but provisioning custom TLS certificates from other certificate authorities is also an option. Custom TLS certificates require a Certificate Signing Request (CSR). A CSR can be generated by VIP or by the certificate authority generating the custom TLS certificates.

Requirements

• Certificates must include both “www” and the root version of a hostname, so a SAN or wildcard certificate is recommended.
• The maximum certificate length that can be accepted by VIP is 398 days.
• Certificates must be in PEM format.
• The certificate chain must include one or more trusted certificates (also known as “Intermediate certificates“) provided by a Certificate Authority (CA).
• Trusted certificates are publicly available. If a trusted certificate is missing from a certificate chain, it can be retrieved from online tools such as KeyCDN.
• A custom TLS certificate can be generated and installed before the DNS for a domain is pointed to VIP.

Custom certificates with a VIP CSR

A certificate signing request (CSR) from VIP is required in order to obtain a custom certificate from a Certificate Authority (CA). It contains the necessary information, plus VIP’s authorization, that the CA needs to process a certificate.

1. Navigate to the VIP Dashboard and select the “Domains” panel option at the left.
2. Add the domain by selecting the “Add Domain” button in the upper right if it does not yet appear in the Domains list.
3. A button labeled “Install Certificate” will be displayed to the right of newly added domains in the Domains panel.
4. Select the “Install Certificate” button to access and select the “Custom Certificate” option in the dropdown.

Generate a Certificate Signing Request (CSR)

1. Select the “Create New CSR” tab.
2. Complete the requested information for each field and select “Generate CSR“.

Create your certificate

Copy or download the generated CSR and provide the CSR to a Certificate Authority.

Upload your certificate

Once the Certificate Authority has generated and provided a certificate and a chain of trusted certificates, resume the installation process.

1. Navigate to the VIP Dashboard and select the “Domains” panel option at the left.
2. A button labeled “Install Certificate” will be displayed to the right of newly added domains in the Domains panel.
3. Select the “Install Certificate” button to access and select the “Custom Certificate” option in the dropdown.
4. Choose one of the following methods to add the certificates to the form fields:
   • Copy and paste the contents of the certificates into each form field (Certificate and Trusted Certificate(s)).
   • If all parts of the complete certificate chain are contained in a single PEM file, select the linked text “Select a PEM file” to upload the file source from the local machine.
5. Select “Continue“.
6. Follow the instructions to “Activate a custom certificate” found below.

Custom TLS certificates with a non-VIP CSR

To install a custom TLS certificate for a domain with a non-VIP CSR, customers must have in their possession a complete certificate chain generated by a Certificate Authority. A complete certificate chain includes:

• CSR
• Private key (password protected certificate keys are not supported)
• Leaf certificate
• Trusted certificates (also known as “Intermediate certificates“)

Install custom certificate

1. Navigate to the VIP Dashboard and select the “Domains” panel option at the left.
2. Add the domain by selecting the “Add Domain” button in the upper right if it does not yet appear in the Domains list.
3. A button labeled “Install Certificate” will be displayed to the right of newly added domains in the Domains panel.
4. Select the “Install Certificate” button to access and select the “Custom Certificate” option in the dropdown.
5. Select the text “Have your own CSR and Private Key?” near the top of the screen.

Upload a certificate chain

Select one of two methods to populate the “Upload a Certificate Chain” fields with all four parts of the complete certificate chain.

Copy and paste

For customers who have obtained separate files for all four parts of the complete certificate chain:

1. Open the complete certificate chain files in a text editor.
2. One at a time, copy the contents of a complete certificate chain file from the text editor and paste the contents into its corresponding field.
3. Repeat for all four files.
4. Select “Upload“.

Upload a PEM file

For customers who have obtained a single PEM file that contains all four parts of the complete certificate chain:

1. Select the linked text “Select a PEM file“.
2. Select the file source from the local machine.
3. Select “Upload“.

Activate a custom certificate

Choose your domains

After uploading a certificate chain:

1. Click on the dropdown below the “Domains” label.
2. Select the domain for which the new custom TLS certificate is being installed.
3. Select “Activate Certificates“.

Confirm the certificate is working

• New TLS certificates may require up to 10 minutes to be enabled for a domain.
• Use a free online TLS testing tool such as SSLShopper or DigiCert.
• Browsers such as Firefox and Chrome provide tools for checking if a site’s connection is secure.

Switch from a custom TLS certificate to a Let’s Encrypt certificate

After a custom TLS certificate has been provisioned, it is possible to switch to a Let’s Encrypt TLS certificate at any time.

1. Navigate to the VIP Dashboard and select the “Domains” panel option at the left.
2. Click on the three dots (“···“) to the right of the domain.
3. Select the “Install Let’s Encrypt” option from the dropdown.
4. Follow the instructions for installing a Let’s Encrypt certificate.