Skip to content

Custom TLS certificate requirements

A generated custom TLS certificate must meet all of the following requirements in order to be successfully installed:

  • Certificates must include both “www” and the root version of a hostname. A SAN or wildcard certificate is recommended for this purpose.
  • The maximum certificate length that can be accepted by VIP is 398 days.
  • Certificates must be in PEM format.
  • The certificate chain must include one or more trusted certificates (also known as “Intermediate certificates“) provided by a Certificate Authority (CA).
  • Trusted certificates are publicly available. If a trusted certificate is missing from a certificate chain, it can be retrieved from online tools such as KeyCDN.
  • Online Certificate Status Protocol (OCSP) stapling is not supported and should not be used. Custom TLS certificates that include OCSP Must-Staple will not be considered valid by TLS clients.
  • A custom TLS certificate can be generated and installed before a domain has been verified and before the DNS for a domain is pointed to VIP.

Last updated: May 29, 2025

Relevant to

  • Node.js
  • WordPress