Custom TLS certificate requirements

A generated custom TLS certificate must meet all of the following requirements in order to be successfully installed:

• Certificates must include both “www” and the root version of a hostname. A SAN or wildcard certificate is recommended for this purpose.
• The maximum certificate length that can be accepted by VIP is 398 days.
• Certificates must be in PEM format.
• The certificate chain must include one or more trusted certificates (also known as “Intermediate certificates“) provided by a Certificate Authority (CA).
• Trusted certificates are publicly available. If a trusted certificate is missing from a certificate chain, it can be retrieved from online tools such as KeyCDN.
• Online Certificate Status Protocol (OCSP) stapling is not supported and should not be used. Custom TLS certificates that include OCSP Must-Staple will not be considered valid by TLS clients.
• A custom TLS certificate can be generated and installed before a domain has been verified and before the DNS for a domain is pointed to VIP.