Skip to content

Install a custom TLS certificate

TLS certificates from Let’s Encrypt are available for domains on the VIP Platform by default, but provisioning custom TLS certificates from other certificate authorities is also an option. Custom TLS certificates require a Certificate Signing Request (CSR). A CSR can be generated by VIP or by the certificate authority generating the custom TLS certificates.

Prerequisite

Installing a TLS certificate for a domain in the VIP Dashboard requires a user to have at minimum an Org member role or an App write role for that application.

Requirements

  • Certificates must include both “www” and the root version of a hostname, so a SAN or wildcard certificate is recommended.
  • The maximum certificate length that can be accepted by VIP is 398 days.
  • Certificates must be in PEM format.
  • The certificate chain must include one or more trusted certificates (also known as “Intermediate certificates“) provided by a Certificate Authority (CA).
  • Trusted certificates are publicly available. If a trusted certificate is missing from a certificate chain, it can be retrieved from online tools such as KeyCDN.
  • A custom TLS certificate can be generated and installed before the DNS for a domain is pointed to VIP.

Custom certificates with a VIP CSR

A certificate signing request (CSR) from VIP is required in order to obtain a custom certificate from a Certificate Authority (CA). It contains the necessary information, plus VIP’s authorization, that the CA needs to process a certificate.

  1. Navigate to the VIP Dashboard.
  2. Select the environment that the domain points to (e.g., Production, Develop) from the dropdown located at the upper left of the dashboard.
  3. Select “Domains & Certs” from the sidebar navigation at the left of the screen.
  4. Add the domain by selecting the “Add Domain” button in the upper right if it does not yet appear in the Domains list.
  5. A button labeled “Install Certificate” will be displayed to the right of newly added domains in the Domains panel.
  6. Select the “Install Certificate” button to access and select the “Custom Certificate” option in the dropdown.
Screenshot of the Domains panel with the dropdown below “Install Certificate” displayed

Generate a Certificate Signing Request (CSR)

  1. Select the “Create New CSR” tab.
  2. Complete the requested information for each field and select “Generate CSR“.
Screenshot of the setting fields for the “Generate a Certificate Signing Request (CSR)” step

Create your certificate

Copy or download the generated CSR and provide the CSR to a Certificate Authority.

Screenshot of an example CSR generated in the “Create your certificate” step

Upload your certificate

Once the Certificate Authority has generated and provided a certificate and a chain of trusted certificates, resume the installation process.

  1. Navigate to the VIP Dashboard.
  2. Select “Domains & Certs” from the sidebar navigation at the left of the screen.
  3. A button labeled “Install Certificate” will be displayed to the right of newly added domains in the Domains panel.
  4. Select the “Install Certificate” button to access and select the “Custom Certificate” option in the dropdown.
  5. Choose one of the following methods to add the certificates to the form fields:
    • Copy and paste the contents of the certificates into each form field (Certificate and Trusted Certificate(s)).
    • If all parts of the complete certificate chain are contained in a single PEM file, select the linked text “Select a PEM file” to upload the file source from the local machine.
  6. Select “Continue“.
  7. Follow the instructions to “Activate a custom certificate” found below.
Screenshot of example certificates pasted into the form fields for the “Upload your certificate” step.

Custom TLS certificates with a non-VIP CSR

To install a custom TLS certificate for a domain with a non-VIP CSR, customers must have in their possession a complete certificate chain generated by a Certificate Authority. A complete certificate chain includes:

Install custom certificate

  1. Navigate to the VIP Dashboard.
  2. Select the environment that the domain points to (e.g., Production, Develop) from the dropdown located at the upper left of the dashboard.
  3. Select “Domains & Certs” from the sidebar navigation at the left of the screen.
  4. Add the domain by selecting the “Add Domain” button in the upper right if it does not yet appear in the Domains list.
  5. A button labeled “Install Certificate” will be displayed to the right of newly added domains in the Domains panel.
  6. Select the “Install Certificate” button to access and select the “Custom Certificate” option in the dropdown.
  7. Select the text “Have your own CSR and Private Key?” near the top of the screen.
Screenshot of the text Have your own CSR and Private Key?” near the top of the screen

Upload a certificate chain

Select one of two methods to populate the “Upload a Certificate Chain” fields with all four parts of the complete certificate chain.

Copy and paste

For customers who have obtained separate files for all four parts of the complete certificate chain:

  1. Open the complete certificate chain files in a text editor.
  2. One at a time, copy the contents of a complete certificate chain file from the text editor and paste the contents into its corresponding field.
  3. Repeat for all four files.
  4. Select “Upload“.

Upload a PEM file

For customers who have obtained a single PEM file that contains all four parts of the complete certificate chain:

  1. Select the linked text “Select a PEM file“.
  2. Select the file source from the local machine.
  3. Select “Upload“.
Screenshot example of the fields for the four parts of a complete certificate chain

Activate a custom certificate

Choose your domains

After uploading a certificate chain:

  1. Click on the dropdown below the “Domains” label.
  2. Select the domain for which the new custom TLS certificate is being installed.
  3. Select “Activate Certificates“.
Screenshot of the “Choose your domains” step and the “Activate Certificates” button in the VIP Dashboard

Confirm the certificate is working

  • New TLS certificates may require up to 10 minutes to be enabled for a domain.
  • Use a free online TLS testing tool such as SSLShopper or DigiCert.
  • Browsers such as Firefox and Chrome provide tools for checking if a site’s connection is secure.

Switch from a custom TLS certificate to a Let’s Encrypt certificate

After a custom TLS certificate has been provisioned, it is possible to switch to a Let’s Encrypt TLS certificate at any time.

  1. Navigate to the VIP Dashboard.
  2. Select the environment that the domain points to (e.g., Production, Develop) from the dropdown located at the upper left of the dashboard.
  3. Select “Domains & Certs” from the sidebar navigation at the left of the screen.
  4. Click on the three dots (“···“) to the right of the domain.
  5. Select the “Install Let’s Encrypt” option from the dropdown.
  6. Follow the instructions for installing a Let’s Encrypt certificate.

Last updated: September 12, 2023

Relevant to

  • Node.js
  • WordPress