Custom TLS certificates with a non-VIP CSR

To install a custom TLS certificate for a domain with a CSR that was not generated by VIP, customers must have in their possession a complete certificate chain generated by a Certificate Authority (CA).

A complete certificate chain includes:

CSR
Private key (password protected certificate keys are not supported)
Leaf certificate
Trusted certificates (also known as “Intermediate certificates“)

A custom TLS certificate can be generated and installed before a domain has been verified and before the DNS for a domain is pointed to VIP.

Prerequisite

Installing a TLS certificate for a domain in the VIP Dashboard requires a user to have at minimum an Org member role or an App write role for that application.
In order to successfully install a generated custom TLS certificate, it must meet all of the requirements.

Access the custom certificate installer

Navigate to the VIP Dashboard for the application that the domain is associated with.
Select the environment that the domain points to (e.g., production, develop) from the dropdown located at the upper left of the dashboard.
Select “Domains & TLS” from the sidebar navigation at the left of the screen.
Add the domain by selecting the “Add Domain” button in the upper right if it does not yet appear in the Domains list.
Select the “•••” button located to the right of the domain.
Select “Install Custom Certificate” from the overflow menu.
In the message banner labeled “Have your own CSR and Private Key?” near the top of the screen, select the text “Click here to upload“.

Example screenshot of the text “**Have your own CSR and Private Key?**” near the top of the screen

Upload a certificate chain

To populate the “Upload a Certificate Chain” fields with all four parts of the complete certificate chain, a user can either “Copy and paste” or “Upload a PEM file”.

Copy and paste

For customers who have obtained separate files for all four parts of the complete certificate chain:

Open the complete certificate chain files in a text editor.
One at a time, copy the contents of a complete certificate chain file from the text editor and paste the contents into its corresponding field.
Repeat for all four files.
Select “Upload“.

Upload a PEM file

For customers who have obtained a single PEM file that contains all four parts of the complete certificate chain:

Select the linked text “Select a PEM file“.
Select the file source from the local machine.
Select “Upload“.

Screenshot example of the fields for the four parts of a complete certificate chain

Activate a custom certificate

The installation of a TLS certificate is not complete until it has been activated for a domain.

Choose your domains

After uploading a certificate chain:

Select the dropdown below the “Domains” label.
Select the domain for which the new custom TLS certificate is being installed.
Select “Activate Certificates“.

Screenshot of the “Choose your domains” step and the “Activate Certificates” button in the VIP Dashboard

Confirm the certificate is working

New TLS certificates may require up to 10 minutes to be enabled for a domain.
Use a free online TLS testing tool such as SSLShopper or DigiCert.
Browsers such as Firefox and Chrome provide tools for checking if a site’s connection is secure.

Last updated: February 27, 2024