Note: This documentation is for version 1 of the Vercel platform. For the latest features, please see the version 2 documentation. If you have yet to upgrade, see the upgrade guide.

Managing SSL Certificates

Each time you create a new deployment, you will get a new unique subdomain. For this address (just like for the custom domains you've added using now alias or now alias), we're automatically provisioning an SSL certificate for you.

Our platform seamlessly communicates with Let's Encrypt to provide your deployment's domain with an X.509 certificate without any costs. All of this happens in the background, seamlessly.

You can read more about how exactly the certificate provisioning works here. If you're interested in knowing which browsers the certificates are compatible with, this might also be of interest to you. At last, this document describes how the certificates work per se.

Using the CLI

Let's take a look at how you can use Now's command line interface to manage your existing certificates and even upload new ones. In the following examples, represents the domain you'd like to modify.

now certs ls

Lists all certificates owned and created by the user. All certificate entries ever created will remain there in the list, as long as the user still owns the domain associated with the certificate. The actual certificates may, however, change over time. For example, we periodically renew all the certificates created with the API.

now certs create

Allows you to create a new certificate for any domain you have access to and have registered with now. There shouldn't be much real use for this command and it's mainly provided for symmetry, though you may want to use it for creating a certificate entry for a subdomain in advance, before creating an alias using the domain.

now certs replace

The command can be used to upload a certificate issued by a 3rd party Certificate Authority. It requires you to already have an alias with an automatic certificate in place. You can use it like this:

now certs replace --crt domain.crt --key domain.key --ca ca_chain.crt

Keep in mind: --ca ca_chain.crt is optional but needed if your certificate provider is not considered as a root Certificate Authority by web browsers and operating systems (which is usually the case). This file is usually provided by the Certificate Authority you're using.

Renewal failure

When automatic certificate renewal fails, we will send you a notification email. Here are some possible reasons:

  1. The domain is no longer used in Now
  2. A CAA record permitting issuing a certificate is missing or is invalid
  3. Other DNS records are missing or invalid
  4. HTTP requests are being redirected to HTTPS (for example when using Cloudflare)

The API Endpoint

As of version 0.6.0, now-client comes with API wrappers for managing the certificates bound to aliases using a custom domain.

Normally, when a user created an alias with Now command line utility, we automatically issued a certificate for it (as previously described in this post). So technically, the API endpoint was already there. But until recently, it only supported issuing new certificates. By now, it also supports renewal, removal, and replacement.

The endpoint is called /now/certs and available in our REST API.