I'm pleased to announce the immediate availability of Wildcard Certificates on Vercel. Starting today, every time you use
vercel aliaswe'll automatically provision a wildcard certificate for your domain.
What does this mean for you?
- Instant aliasing when introducing new subdomains that match a wildcard certificate
- Less management:
vercel certs lsbecomes a lot leaner.
- Improved 404 pages for unknown subdomains (no SSL errors)
- A more flexible certificates API
Previously, whenever you would alias a deployment to a custom domain…
vercel alias <deployment> my.custom.domain.com
… we would instantly issue a certificate on your behalf for
Starting today, if your domain is configured to use the ZEIT World DNS, we will issue a certificate for
If you run
vercel alias we automatically create your wildcard cert
vercel aliasgets faster for subsequent subdomains you add, since we no longer need to create new certificates on-demand. Our CLI and load balancers have been upgraded to look for the wildcard certificate when a specific certificate doesn't match.
Notably, this is completely backwards compatible. The next time you run
vercel aliaswe'll attempt to generate a wildcard certificate and re-use it for subsequent invocations.
Aside from a much faster
vercel aliasprocess, this also opens up very interesting new possibilities.
As an example, you can have your CI / CD processes alias commit identifiers from source control (like Git) to staging domains. You can dynamically deploy a commit (
e3cd2b1) and instantly alias it (
e3cd2b1.staging.mydomain.com) with no additional latency.
When you generate an alias for
mydomain.com, we actually issue a single certificate that combines two Common Names:
This means that one certificate can be used to secure the traffic for the base domain and all its subdomains.
We've improved the look of
vercel certs lsto reflect this:
Multiple Common Names are now listed in
vercel certs ls
Before, when one of your users would go to a subdomain that didn't exist, they would get an SSL error. This is because by default we configure a wildcard DNS CNAME record so that
*.mydomain.comgoes to our load balancers (
Thanks to wildcard certificates, we now render proper 404 pages and clients can process the HTTP response with its status code.
We have bumped our
/vercel/certsAPI endpoint to v3, with the following improvements:
- The Common Name field now accepts wildcard domains
- Whenever a domain is renewed, we don't replace the previous certificate. We always issue new ones, and our load balancers intelligently pick.
- Deletion no longer works based on domain name, since a domain can actually be present in multiple certificates. Instead, you delete by supplying the certificate id. In the future, we plan to empower you to define what certificate is preferred for a certain domain or subdomain.
As part of the introduction of this featureset, we completely revamped the codebase of the
They're faster, leaner and more robust than ever before.
To get started, just run
npm i -g vercelor head to our Download page for all the available installation methods.
We are very happy about some key features this relatively low-level change enables. Some, like we mentioned above, you can start taking advantage of immediately.
We are also working on some interesting features on top of this technology on our end. Follow us to stay on top of the latest.