Custom TLS certificates with a non-VIP CSR
To install a custom TLS certificate for a domain with a CSR that was not generated by VIP, customers must have in their possession a complete certificate chain generated by a Certificate Authority (CA).
A complete certificate chain includes:
- CSR
- Private key (password protected certificate keys are not supported)
- Leaf certificate
- Trusted certificates (also known as “Intermediate certificates“)
A custom TLS certificate can be generated and installed before a domain has been verified and before the DNS for a domain is pointed to VIP.
Prerequisite
- Installing a TLS certificate for a domain in the VIP Dashboard requires a user to have at minimum an Org member role or an App write role for that application.
- In order to successfully install a generated custom TLS certificate, it must meet all of the requirements.
Access the custom certificate installer
- Navigate to the VIP Dashboard for the application that the domain is associated with.
- Select the environment that the domain points to (e.g., production, develop) from the dropdown located at the upper left of the dashboard.
- Select “Domains & TLS” from the sidebar navigation at the left of the screen.
- Add the domain by selecting the “Add Domain” button in the upper right if it does not yet appear in the Domains list.
- Select the “•••” button located to the right of the domain.
- Select “Install Custom Certificate” from the overflow menu.
- In the message banner labeled “Have your own CSR and Private Key?” near the top of the screen, select the text “Click here to upload“.
Upload a certificate chain
To populate the “Upload a Certificate Chain” fields with all four parts of the complete certificate chain, a user can either “Copy and paste” or “Upload a PEM file”.
Copy and paste
For customers who have obtained separate files for all four parts of the complete certificate chain:
- Open the complete certificate chain files in a text editor.
- One at a time, copy the contents of a complete certificate chain file from the text editor and paste the contents into its corresponding field.
- Repeat for all four files.
- Select “Upload“.
Upload a PEM file
For customers who have obtained a single PEM file that contains all four parts of the complete certificate chain:
- Select the linked text “Select a PEM file“.
- Select the file source from the local machine.
- Select “Upload“.
Activate a custom certificate
The installation of a TLS certificate is not complete until it has been activated for a domain.
Choose your domains
After uploading a certificate chain:
- Select the dropdown below the “Domains” label.
- Select the domain for which the new custom TLS certificate is being installed.
- Select “Activate Certificates“.
Confirm the certificate is working
- New TLS certificates may require up to 10 minutes to be enabled for a domain.
- Use a free online TLS testing tool such as SSLShopper or DigiCert.
- Browsers such as Firefox and Chrome provide tools for checking if a site’s connection is secure.
Last updated: February 27, 2024