Configure a third-party TLS certificate automatically provides all environments with standard Transport Layer Security (TLS) certificates issued by Let’s Encrypt. No further action is required to use TLS-encrypted connections beyond specifying HTTPS routes.

You can also provide your own third-party TLS certificate from the issuer of your choice. doesn’t charge for using a third-party TLS certificate, although the issuer may. Consult your TLS issuer for instructions on how to generate an TLS certificate.

You can use many kinds of certificates, including domain-validated, extended validation, high-assurance, and wildcard certificates.

A custom certificate isn’t necessary for development environments. automatically provides wildcard certificates that cover all * domains, including development environments.

If you are using a third-party certificate, seven days before it expires issues a Let’s Encrypt certificate and replaces the custom certificate with it to avoid interruption in service. If you wish to continue using the custom certificate, replace it with an updated certificate more than seven days before it expires.

Add a custom certificate 

You can add a custom certificate using the CLI or in the Console.

Your certificate has to be in PKCS #1 format and start with -----BEGIN RSA PRIVATE KEY-----. If it doesn’t start that way, change the format.

To add your custom certificate, follow these steps:

  1. Add the certificate with the following command:


    For example:

    platform domain:add --cert /etc/TLS/private/secure-example-com.crt --key /etc/TLS/private/secure-example-com.key

    You can optionally include intermediate SSL certificates by adding ‐‐chain PATH_TO_FILE for each one.

  2. Redeploy your production environment with the following command:

    platform environment:redeploy
  1. Open the project where you want to add a certificate.
  2. Click Settings.
  3. Click Certificates.
  4. Click + Add.
  5. Fill in your private key, public key certificate, and (optionally) intermediate SSL certificates.
  6. Click Add Certificate.
  7. Access your production environment.
  8. Click More.
  9. Click Redeploy.

Change the private key format 

Your certificate’s private key needs to be in PKCS #1 format, which means it starts with -----BEGIN RSA PRIVATE KEY-----. If it has -----BEGIN PRIVATE KEY----- instead, it’s in PKCS #8 format and you need to change it.

To convert your private key (private.key) from PKCS #8 to PKCS #1 format (private.rsa.key), run the following command:

openTLS rsa -in private.key -out private.rsa.key