I'm pleased to announce the immediate availability of Wildcard Certificates on Vercel. Starting today, every time you use vercel alias we'll automatically provision a wildcard certificate for your domain.
What does this mean for you?
  • Instant aliasing when introducing new subdomains that match a wildcard certificate
  • Less management: vercel certs ls becomes a lot leaner.
  • Improved 404 pages for unknown subdomains (no SSL errors)
  • A more flexible certificates API

Instant Aliasing

Previously, whenever you would alias a deployment to a custom domain…
vercel alias <deployment> my.custom.domain.com
… we would instantly issue a certificate on your behalf for my.custom.domain.com.
Starting today, if your domain is configured to use the ZEIT World DNS, we will issue a certificate for *.custom.domain.com automatically instead.

If you run vercel alias we automatically create your wildcard cert

This means vercel alias gets faster for subsequent subdomains you add, since we no longer need to create new certificates on-demand. Our CLI and load balancers have been upgraded to look for the wildcard certificate when a specific certificate doesn't match.
Notably, this is completely backwards compatible. The next time you run vercel alias we'll attempt to generate a wildcard certificate and re-use it for subsequent invocations.
Aside from a much faster vercel alias process, this also opens up very interesting new possibilities.
As an example, you can have your CI / CD processes alias commit identifiers from source control (like Git) to staging domains. You can dynamically deploy a commit (e3cd2b1) and instantly alias it (e3cd2b1.staging.mydomain.com) with no additional latency.

Simplified and improved certificate management

When you generate an alias for mydomain.com, we actually issue a single certificate that combines two Common Names:
  • mydomain.com
  • *.mydomain.com
This means that one certificate can be used to secure the traffic for the base domain and all its subdomains.
We've improved the look of vercel certs ls to reflect this:

Multiple Common Names are now listed in vercel certs ls

Better 404s

Before, when one of your users would go to a subdomain that didn't exist, they would get an SSL error. This is because by default we configure a wildcard DNS CNAME record so that *.mydomain.com goes to our load balancers (alias.zeit.co).
Thanks to wildcard certificates, we now render proper 404 pages and clients can process the HTTP response with its status code.

A Better certificates API

We have bumped our /vercel/certs API endpoint to v3, with the following improvements:
  • The Common Name field now accepts wildcard domains
  • Whenever a domain is renewed, we don't replace the previous certificate. We always issue new ones, and our load balancers intelligently pick.
  • Deletion no longer works based on domain name, since a domain can actually be present in multiple certificates. Instead, you delete by supplying the certificate id. In the future, we plan to empower you to define what certificate is preferred for a certain domain or subdomain.
For more details, refer to the API changelog or the documentation for the certs endpoint.

A More Robust CLI

As part of the introduction of this featureset, we completely revamped the codebase of the alias and certs subcommands.
They're faster, leaner and more robust than ever before.
To get started, just run npm i -g vercel or head to our Download page for all the available installation methods.


Wildcard certificate issuance is now live on Vercel CLI. The v3 API is likewise globally available today.
We are very happy about some key features this relatively low-level change enables. Some, like we mentioned above, you can start taking advantage of immediately.
We are also working on some interesting features on top of this technology on our end. Follow us to stay on top of the latest.