Custom TLS certificates with a non-VIP CSR

To install a custom TLS certificate for a domain with a CSR that was not generated by VIP, customers must have in their possession a complete certificate chain generated by a Certificate Authority (CA).

A complete certificate chain includes:

CSR
Private key (password protected certificate keys are not supported)
Leaf certificate
Trusted certificates (also known as “Intermediate certificates“)

A custom TLS certificate can be generated and installed before a domain has been verified and before the DNS for a domain is pointed to VIP.

Access

Prerequisite

Installing a TLS certificate for a domain in the VIP Dashboard requires a user to have at minimum an Org member role or an App write role for that application.
In order to successfully install a generated custom TLS certificate, it must meet all of the requirements.

Navigate to the VIP Dashboard for the application that the domain is associated with.
Select the environment (e.g., production, develop that the domain points to) from the dropdown located at the upper left of the dashboard.
Select “Domains & TLS” from the sidebar navigation at the left of the screen.
Locate the domain for which the custom TLS certificate will be installed. If the domain is not yet added to the environment, add it by selecting the “Add Domain” button in the upper right of the panel and follow the prompts.
Select the “•••” button located to the right of the domain.
Select “Install Custom Certificate” from the overflow menu.
In the message banner labeled “Have your own CSR and Private Key?” near the top of the screen, select the text “Click here to upload“.

Example screenshot of the text “**Have your own CSR and Private Key?**” near the top of the screen

Upload a certificate chain

To populate the “Upload a Certificate Chain” fields with all four parts of the complete certificate chain, a user can either “Copy and paste” or “Upload a PEM file”.

Copy and paste

For customers who have obtained separate files for all four parts of the complete certificate chain:

Open the complete certificate chain files in a text editor.
One at a time, copy the contents of a complete certificate chain file from the text editor and paste the contents into its corresponding field.
Repeat for all four files.
Select “Upload“.

Upload a PEM file

For customers who have obtained a single PEM file that contains all four parts of the complete certificate chain:

Select the linked text “Select a PEM file“.
Select the file source from the local machine.
Select the button labeled “Upload“.

Screenshot example of the fields for the four parts of a complete certificate chain

Activate a custom certificate

The installation of a custom TLS certificate is not complete until it has been activated for a domain.

Choose your domains

After uploading a certificate chain, the user will be transferred to “Step 4 of 5” of the “Install Custom Certificate” panel in the VIP Dashboard:

Select the option below the “Domains” label that is correct for the new TLS certificate that is being installed:
- Select all domains: Selecting this option indicates that the TLS certificate is applicable to all domains that have been added to the environment’s “Domains” panel.
- Select specific domains: Selecting this option will present the user with a dropdown list of domains that have been added to the environment’s “Domains” panel. Select one or more domains to which the TLS certificate should apply.
Select the button labeled “Activate Certificates” to complete the TLS certificate installation and activation.

Example screenshot of the “Choose your domains” step and the button labeled “Activate Certificates”

Confirm the certificate is working

New TLS certificates may require up to 10 minutes to be enabled for a domain.
Use a free online TLS testing tool such as SSLShopper or DigiCert.
Browsers such as Firefox and Chrome provide tools for checking if a site’s connection is secure.

Last updated: July 16, 2024