> ## Documentation Index
> Fetch the complete documentation index at: https://developer.upsun.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure a third-party TLS certificate

export const VariableBlock = ({name}) => {
  return <var spellCheck={false} title={`Replace '${name}' with your own data`}>{name}</var>;
};

export const SettingsIcon = () => <svg width="24px" height="24px" style={{
  display: 'inline',
  verticalAlign: 'middle'
}}>
    <title id="settings-icon">Settings</title>
    <path d="M10.5289 21.9416C9.86066 21.8582 9.3595 21.3576 9.19245 20.6903L9.02539 19.6892C8.85834 19.6058 8.77482 19.6058 8.60776 19.5224L7.93955 20.0229C7.43839 20.44 6.68665 20.44 6.10196 20.0229C6.10196 20.0229 4.09732 18.1042 4.01379 17.9374C3.51263 17.3535 3.51263 16.6027 3.93027 16.0187L4.51495 15.3514C4.43143 15.1845 4.43143 15.1011 4.3479 14.9343L3.42911 14.7674C2.76089 14.684 2.25973 14.1835 2.09268 13.4327C2.00915 13.1824 2.09268 10.4296 2.09268 10.4296C2.17621 9.76222 2.67737 9.2617 3.34558 9.09486L4.3479 8.92802C4.43143 8.8446 4.43143 8.76118 4.51495 8.59434L4.01379 7.92697C3.59616 7.42645 3.59616 6.67567 4.01379 6.09173C4.01379 6.09173 5.93491 4.08964 6.10196 4.00622C6.68665 3.5057 7.43839 3.5057 8.02307 3.9228L8.69129 4.50675C8.85834 4.42333 8.94187 4.42333 9.10892 4.33991L9.27597 3.42228C9.3595 2.75492 9.86066 2.2544 10.6124 2.08756C10.863 2.00414 13.2853 2.00414 13.5358 2.08756H13.6194C14.2876 2.17098 14.7887 2.6715 14.9558 3.33886L15.1228 4.33991C15.2064 4.42333 15.2899 4.50675 15.457 4.50675L16.1252 4.00622C16.6263 3.58912 17.3781 3.58912 17.9628 4.00622C17.9628 4.00622 19.9674 5.92489 20.0509 6.09173C20.5521 6.67567 20.5521 7.42645 20.1344 8.0104L19.6333 8.67776C19.7168 8.8446 19.7168 9.01144 19.8003 9.09486L20.7191 9.2617C21.3873 9.34512 21.972 9.92906 22.0556 10.5964V13.5996C21.972 14.2669 21.4709 14.7674 20.8027 14.9343L19.8003 15.1011C19.7168 15.268 19.7168 15.3514 19.6333 15.5182L20.218 16.269C20.6356 16.7695 20.6356 17.5203 20.218 18.1042L18.0463 20.2732C17.4616 20.6903 16.7099 20.6903 16.2087 20.2732L15.3734 19.6058C15.2064 19.6892 15.1228 19.6892 14.9558 19.7726L14.7887 20.6903C14.7052 21.3576 14.1205 21.9416 13.4523 22.025H10.5289V21.9416ZM11.5312 20.3566C11.8653 20.3566 12.1994 20.3566 12.45 20.3566C12.8676 20.3566 13.2017 20.0229 13.2853 19.6058L13.3688 18.9384C13.3688 18.6882 13.6194 18.4379 13.8699 18.2711L15.1228 17.7706C15.3734 17.6871 15.7075 17.6871 15.9581 17.854L16.5428 18.2711C16.8769 18.5213 17.3781 18.5213 17.6286 18.1877C17.7957 18.0208 18.0463 17.7706 18.2969 17.5203C18.5474 17.1866 18.631 16.7695 18.3804 16.4358L17.8792 16.0187C17.7122 15.7685 17.6286 15.4348 17.7957 15.1845L18.2969 14.0167C18.3804 13.7664 18.631 13.5996 18.9651 13.5161L19.6333 13.4327C20.0509 13.3493 20.385 13.0156 20.385 12.5985C20.385 12.2648 20.385 11.9311 20.385 11.6809C20.385 11.2638 20.0509 10.9301 19.6333 10.8467L18.9651 10.7633C18.7145 10.7633 18.4639 10.513 18.2969 10.2627L17.7957 9.01144C17.7122 8.76118 17.7122 8.4275 17.8792 8.17724L18.2969 7.59329C18.5474 7.25961 18.5474 6.84251 18.2133 6.50883C18.0463 6.34199 17.7957 6.09173 17.5451 5.84147C17.211 5.50779 16.7934 5.50779 16.4593 5.75805L16.0416 6.17515C15.7911 6.34199 15.457 6.42541 15.2064 6.25857L14.037 5.75805C13.7864 5.67463 13.6194 5.42437 13.5358 5.09069L13.3688 4.50675C13.2853 4.08964 12.9511 3.75596 12.5335 3.75596C12.1994 3.75596 11.8653 3.75596 11.6147 3.75596C11.1971 3.75596 10.863 4.08964 10.7795 4.50675L10.6959 5.17411C10.6959 5.42437 10.4453 5.67463 10.1948 5.84147L9.02539 6.25857C8.69129 6.42541 8.44071 6.34199 8.19013 6.17515L7.60544 5.75805C7.27133 5.50779 6.77017 5.50779 6.51959 5.84147C6.26901 6.00831 6.10196 6.25857 5.85138 6.42541C5.6008 6.75909 5.51727 7.17619 5.85138 7.50987L6.18549 8.09382C6.35254 8.34408 6.43607 8.67776 6.26901 8.92802L5.76785 10.0959C5.68433 10.3462 5.43375 10.513 5.09964 10.5964L4.43143 10.6798C4.01379 10.7633 3.67969 11.0969 3.67969 11.514C3.67969 11.8477 3.67969 12.1814 3.67969 12.4317C3.67969 12.8488 4.01379 13.1825 4.43143 13.2659L5.09964 13.3493C5.35022 13.3493 5.6008 13.5996 5.76785 13.8498L6.26901 15.1011C6.35254 15.3514 6.35254 15.6851 6.18549 15.9353L5.76785 16.5193C5.51727 16.8529 5.51727 17.3535 5.85138 17.6037C6.01843 17.7706 6.26901 18.0208 6.51959 18.2711C6.8537 18.5213 7.27133 18.6048 7.60544 18.3545L8.02307 17.854C8.27365 17.6871 8.60776 17.6037 8.85834 17.7706L10.0277 18.2711C10.2783 18.3545 10.4453 18.6048 10.5289 18.9384L10.6124 19.6058C10.7795 20.0229 11.1136 20.3566 11.5312 20.3566ZM18.798 6.92593C18.798 6.92593 18.798 7.00935 18.798 6.92593V6.92593Z"></path>
    <path d="M12.0324 17.0198C9.27597 17.0198 7.02075 14.7675 7.02075 12.0146C7.02075 9.26172 9.27597 7.00937 12.0324 7.00937C14.7887 7.00937 17.044 9.26172 17.044 12.0146C17.044 14.7675 14.7887 17.0198 12.0324 17.0198ZM12.0324 8.67777C10.1948 8.67777 8.69129 10.1793 8.69129 12.0146C8.69129 13.8498 10.1948 15.3514 12.0324 15.3514C13.8699 15.3514 15.3734 13.8498 15.3734 12.0146C15.3734 10.1793 13.8699 8.67777 12.0324 8.67777Z"></path>
  </svg>;

export const MoreIcon = () => <svg width="24px" height="24px" style={{
  display: 'inline',
  verticalAlign: 'middle'
}}>
    <title id="more-icon">More</title>
    <path d="M12 6.5C12.8284 6.5 13.5 5.82843 13.5 5C13.5 4.17157 12.8284 3.5 12 3.5C11.1716 3.5 10.5 4.17157 10.5 5C10.5 5.82843 11.1716 6.5 12 6.5Z" fill="current"></path>
    <path d="M12 13.5C12.8284 13.5 13.5 12.8284 13.5 12C13.5 11.1716 12.8284 10.5 12 10.5C11.1716 10.5 10.5 11.1716 10.5 12C10.5 12.8284 11.1716 13.5 12 13.5Z" fill="current"></path>
    <path d="M12 20.5C12.8284 20.5 13.5 19.8284 13.5 19C13.5 18.1716 12.8284 17.5 12 17.5C11.1716 17.5 10.5 18.1716 10.5 19C10.5 19.8284 11.1716 20.5 12 20.5Z" fill="current"></path>
  </svg>;

Upsun automatically provides standard Transport Layer Security (TLS) certificates for all sites and environments.
These certificates are issued at no charge by [Let's Encrypt](https://letsencrypt.org/) and cover most needs.
To use them, you need to [specify HTTPS routes](/docs/routes/https#enable-https).
Note that some [limitations](/docs/routes/https#lets-encrypt-limitations) apply.

Upsun allows you to use third-party TLS certificates free of charge.

You can use many kinds of custom certificates, including domain-validated, extended validation, high-assurance, or wildcard certificates.
Consult your TLS issuer for pricing and instructions on how to generate a TLS certificate.

Seven days before a third-party custom certificate is due to expire,
Upsun replaces it with a new default Let’s Encrypt certificate.
This helps prevent downtime.
To avoid switching to a default certificate,
make sure you replace your custom certificate with an updated one
more than seven days before its expiration date.

Note that custom certificates aren't necessary for preview environments as we provision Let's Encrypt certificates by default for them.

### Add a custom certificate

You can add a custom certificate using the [CLI](/cli) or in the [Console](/docs/administration/web).

Your certificate has to be in PKCS #1 format and start with `-----BEGIN RSA PRIVATE KEY-----`.
If it doesn't start that way, [change the format](#change-the-private-key-format).

To add your custom certificate, follow these steps:

<Tabs>
  <Tab title="Using the CLI">
    1. Run the following command:

       ```bash theme={null}
       upsun domain:add <YOUR_DOMAIN> --cert <PATH_TO_CERTIFICATE_FILE> --key <PATH_TO_PRIVATE_KEY_FILE>
       ```

       For example:

       ```bash theme={null}
       upsun domain:add secure.example.com --cert /etc/TLS/private/secure-example-com.crt --key /etc/TLS/private/secure-example-com.key
       ```

       You can optionally include intermediate SSL certificates by adding `--chain <PATH_TO_FILE>` for each one.

    2. Redeploy your production environment with the following command:

       ```bash theme={null}
       upsun environment:redeploy
       ```
  </Tab>

  <Tab title="In the Console">
    1. Open the project where you want to add a certificate.
    2. Click <SettingsIcon /> **Settings**.
    3. Click **Certificates**.
    4. Click **+ Add**.
    5. Fill in your private key, public key certificate, and (optionally) intermediate SSL certificates.
    6. Click **Add Certificate**.
    7. Access your production environment.
    8. Click <MoreIcon /> **More**.
    9. Click **Redeploy**.
  </Tab>
</Tabs>

### Change the private key format

The expected format for your certificate’s private key is PKCS #1.
Private keys in PKCS #1 format start with `-----BEGIN RSA PRIVATE KEY-----`.
If your private key starts with `-----BEGIN PRIVATE KEY-----`, it’s in PKCS #8 format, which isn’t appropriate.

To convert your private key (`private.key`) from PKCS #8 to PKCS #1 format (`private.rsa.key`), run the following command:

```bash theme={null}
openTLS rsa -in private.key -out private.rsa.key
```