By default, Vercel provides all domains with a custom SSL certificates. However, Enterprise teams can upload a custom SSL certificate. This allows for Enterprise teams to serve their own SSL certificate on a Custom Domain at Vercel's edge network, rather than the automatically generated certificate.
Uploading a custom certificate follows a three step process:
- Providing the private key for the certificate
- Providing the certificate itself
- Providing the Certificate Authority root certificate such as one of Let's Encrypt's ISRG root certificates. This will be provided by your certificate issuer and is different to the core certificate. This may be included in their download process or available for download on their website.
The content of each element must be copied and pasted into the input box directly. The certificate and private key can be extracted from the PEM files that are provided by your certificate issuer, and should be in the following format:
-----BEGIN CERTIFICATE----- <Certificate body will be here> -----END CERTIFICATE-----
-----BEGIN PRIVATE KEY----- <Private key body will be here> -----END PRIVATE KEY-----
When uploading your SSL certificate, you should note the following:
- The automatically generated certificate will remain in place, but a custom certificate is prioritized over the existing certificate. This means that if a custom certificate is uploaded and then later removed, Vercel will revert to the automatically generated certificate.
- You can include canonical names CN's (CN's) for other subdomains on the certificate without needing to add these domains to Vercel. The certificate will be served on these domains if or when they are added.
- Wildcards certificates can be uploaded
- Certificates with an explicitly defined subdomain are prioritized over a wildcard certificate when both are valid for a given subdomain