Custom Certificate

When an Endpoint requires a Certificate to perform SSL / TLS termination on your behalf, you can opt to provide your own certificate and private key (alternatively, you can let Aptible provision those for you with Managed TLS).

To do so, you'll have to upload your certificate and private key via the Dashboard.



Aptible doesn't require that you use a valid certificate. If you want, you're free to use a self-signed certificate, but of course, your clients will receive errors when they connect.


The certificate should be a PEM-formatted certificate bundle, which means you should concatenate your certificate file along with the intermediate CA certificate files provided by your CA.

As for, the private key, it should be unencrypted and PEM-formatted as well.



Don't forget to include intermediate certificates! Otherwise, your customers may receive a certificate error when they attempt to connect.

However, you don't need to worry about the ordering of certificates in your bundle: Aptible will sort it properly for you.


When you use a Custom Certificate, it's your responsibility to ensure the Custom Domain you use and your certificate match.

If they don't, your users will see certificate errors.

Supported Keys

Aptible supports the following types of keys for Custom Certificates:

  • RSA 1024
  • RSA 2048
  • RSA 4096
  • ECDSA prime256v1
  • ECDSA secp384r1
  • ECDSA secp521r1