Custom TLS certificates with a non-VIP CSR
To install a custom TLS certificate for a domain with a CSR that was not generated by VIP, customers must have in their possession a complete certificate chain generated by a Certificate Authority (CA).
A complete certificate chain includes:
- CSR
- Private key (password protected certificate keys are not supported)
- Leaf certificate
- Trusted certificates (also known as “Intermediate certificates“)
A custom TLS certificate can be generated and installed before a domain has been verified and before the DNS for a domain is pointed to VIP.
Access
Prerequisite
- Installing a TLS certificate for a domain in the VIP Dashboard requires a user to have at minimum an Org member role or an App write role for that application.
- In order to successfully install a generated custom TLS certificate, it must meet all of the requirements.
- Navigate to the VIP Dashboard for the application that the domain is associated with.
- Select the environment (e.g., production, develop that the domain points to) from the dropdown located at the upper left of the dashboard.
- Select “Domains & TLS” from the sidebar navigation at the left of the screen.
- Locate the domain for which the custom TLS certificate will be installed. If the domain is not yet added to the environment, add it by selecting the “Add Domain” button in the upper right of the panel and follow the prompts.
- Select the “•••” button located to the right of the domain.
- Select “Install Custom Certificate” from the overflow menu.
- In the message banner labeled “Have your own CSR and Private Key?” near the top of the screen, select the text “Click here to upload“.
Upload a certificate chain
To populate the “Upload a Certificate Chain” fields with all four parts of the complete certificate chain, a user can either “Copy and paste” or “Upload a PEM file”.
Copy and paste
For customers who have obtained separate files for all four parts of the complete certificate chain:
- Open the complete certificate chain files in a text editor.
- One at a time, copy the contents of a complete certificate chain file from the text editor and paste the contents into its corresponding field.
- Repeat for all four files.
- Select “Upload“.
Upload a PEM file
For customers who have obtained a single PEM file that contains all four parts of the complete certificate chain:
- Select the linked text “Select a PEM file“.
- Select the file source from the local machine.
- Select the button labeled “Upload“.
Activate a custom certificate
The installation of a custom TLS certificate is not complete until it has been activated for a domain.
Choose your domains
After uploading a certificate chain, the user will be transferred to “Step 4 of 5” of the “Install Custom Certificate” panel in the VIP Dashboard:
- Select the option below the “Domains” label that is correct for the new TLS certificate that is being installed:
- Select all domains: Selecting this option indicates that the TLS certificate is applicable to all domains that have been added to the environment’s “Domains” panel.
- Select specific domains: Selecting this option will present the user with a dropdown list of domains that have been added to the environment’s “Domains” panel. Select one or more domains to which the TLS certificate should apply.
- Select the button labeled “Activate Certificates” to complete the TLS certificate installation and activation.
Confirm the certificate is working
- New TLS certificates may require up to 10 minutes to be enabled for a domain.
- Use a free online TLS testing tool such as SSLShopper or DigiCert.
- Browsers such as Firefox and Chrome provide tools for checking if a site’s connection is secure.
Last updated: July 16, 2024