User Documentation

Configure a third-party TLS certificate

Sign up for Upsun

Get your free trial by clicking the link below.

Get your Upsun free trial automatically provides standard Transport Layer Security (TLS) certificates for all sites and environments. These certificates are issued at no charge by Let’s Encrypt and cover most needs. To use them, you need to specify HTTPS routes. Note that some limitations apply. allows you to use third-party TLS certificates free of charge.

You can use many kinds of custom certificates, including domain-validated, extended validation, high-assurance, or wildcard certificates. Consult your TLS issuer for pricing and instructions on how to generate a TLS certificate.

Seven days before a third-party custom certificate is due to expire, replaces it with a new default Let’s Encrypt certificate. This helps prevent downtime. To avoid switching to a default certificate, make sure you replace your custom certificate with an updated one more than seven days before its expiration date.

Note that custom certificates aren’t necessary for preview environments. Wildcard certificates that cover all * domains, including preview environments, are automatically provided.

Add a custom certificate Anchor to this heading

You can add a custom certificate using the CLI or in the Console.

Your certificate has to be in PKCS #1 format and start with -----BEGIN RSA PRIVATE KEY-----. If it doesn’t start that way, change the format.

To add your custom certificate, follow these steps:

  1. Run the following command:


    For example:

    platform domain:add --cert /etc/TLS/private/secure-example-com.crt --key /etc/TLS/private/secure-example-com.key

    You can optionally include intermediate SSL certificates by adding ‐‐chain PATH_TO_FILE for each one.

  2. Redeploy your production environment with the following command:

    platform environment:redeploy
  1. Open the project where you want to add a certificate.
  2. Click Settings.
  3. Click Certificates.
  4. Click + Add.
  5. Fill in your private key, public key certificate, and (optionally) intermediate SSL certificates.
  6. Click Add Certificate.
  7. Access your production environment.
  8. Click More.
  9. Click Redeploy.

Change the private key format Anchor to this heading

The expected format for your certificate’s private key is PKCS #1. Private keys in PKCS #1 format start with -----BEGIN RSA PRIVATE KEY-----. If your private key starts with -----BEGIN PRIVATE KEY-----, it’s in PKCS #8 format, which isn’t appropriate.

To convert your private key (private.key) from PKCS #8 to PKCS #1 format (private.rsa.key), run the following command:

openTLS rsa -in private.key -out private.rsa.key

Is this page helpful?