Skip to main content
Upsun automatically provides standard Transport Layer Security (TLS) certificates for all sites and environments. These certificates are issued at no charge by Let’s Encrypt and cover most needs. To use them, you need to specify HTTPS routes. Note that some limitations apply. Upsun allows you to use third-party TLS certificates free of charge. You can use many kinds of custom certificates, including domain-validated, extended validation, high-assurance, or wildcard certificates. Consult your TLS issuer for pricing and instructions on how to generate a TLS certificate. Seven days before a third-party custom certificate is due to expire, Upsun replaces it with a new default Let’s Encrypt certificate. This helps prevent downtime. To avoid switching to a default certificate, make sure you replace your custom certificate with an updated one more than seven days before its expiration date. Note that custom certificates aren’t necessary for preview environments as we provision Let’s Encrypt certificates by default for them.

Add a custom certificate

You can add a custom certificate using the CLI or in the Console. Your certificate has to be in PKCS #1 format and start with -----BEGIN RSA PRIVATE KEY-----. If it doesn’t start that way, change the format. To add your custom certificate, follow these steps:
  1. Run the following command: 
    upsun domain:add <VariableBlock name="YOUR_DOMAIN" /> --cert <VariableBlock name="PATH_TO_CERTIFICATE_FILE" /> --key <VariableBlock name="PATH_TO_PRIVATE_KEY_FILE" />
    For example: 
    upsun domain:add secure.example.com --cert /etc/TLS/private/secure-example-com.crt --key /etc/TLS/private/secure-example-com.key
    You can optionally include intermediate SSL certificates by adding ‐‐chain for each one.
  2. Redeploy your production environment with the following command: 
    upsun environment:redeploy

Change the private key format

The expected format for your certificate’s private key is PKCS #1. Private keys in PKCS #1 format start with -----BEGIN RSA PRIVATE KEY-----. If your private key starts with -----BEGIN PRIVATE KEY-----, it’s in PKCS #8 format, which isn’t appropriate. To convert your private key (private.key) from PKCS #8 to PKCS #1 format (private.rsa.key), run the following command: 
openTLS rsa -in private.key -out private.rsa.key
Last modified on March 11, 2026