Skip to main content

TLS (SSL) Certificates for User Domains

To access objects in a bucket via a custom domain over HTTPS, you need to add a TLS (SSL) certificate. You can manage certificates via the Control Panel or User Certificates API.

You can issue a certificate with any provider. If you use Servercore DNS hosting, you can quickly issue a Let’s Encrypt certificate, but you must manually add the certificate after each Let’s Encrypt renewal.

The certificate is added at the country level: it will only work for buckets hosted in the selected country's region. A single certificate cannot be used in multiple projects.

Only one certificate can be active for a single domain. If multiple certificates are added for a domain, the last one uploaded will be active. If the active certificate is deleted or its validity period expires, the previous one will be automatically activated, provided it has not expired.

TLS Protocol

The Transport Layer Security (TLS) protocol is a newer version of the SSL protocol and is used in conjunction with the HTTP protocol. Using HTTP and TLS together ensures data encryption, authentication, and integrity.

For your information

We recommend using the TLS protocol version 1.2 or higher. Versions below 1.2 are considered obsolete (read more on the IETF website) and have not been supported by S3 since May 1, 2023.

You can view the TLS version in use in the logs.

Learn more about configuring TLS version 1.2 in the Amazon documentation:

Add certificate

You can add up to 100 certificates per project.

  1. In the control panel, click Products in the top menu and select S3.

  2. Go to the SSL Certificates section.

  3. Click Add certificate.

  4. Select the country for buckets in which the certificate will work.

  5. Enter a name for the certificate; it must be unique within the project.

  6. Add a primary certificate:

    -----BEGIN CERTIFICATE-----
    <certificate.crt>
    -----END CERTIFICATE-----

    Specify <certificate.crt> — the private key in PKCS#1 format.

  7. Add a private key:

    -----BEGIN PRIVATE KEY-----
    <private_key.key>
    -----END PRIVATE KEY-----

    Specify <private_key.key> — the private key in PKCS#1 format.

  8. Click Add certificate. The certificate will be activated within five minutes.

Certificate statuses

in progressThe certificate is undergoing verification (up to five minutes). If successful, the status will change to active, or to error in case of an error
errorCertificate verification failed. To view the reason, hover over the status. Fix the error, delete the certificate, and add it again.
activeCertificate is active
expiredThe certificate has expired. Delete the certificate and add a new one.

Delete certificate

You cannot delete certificates that are currently being added.

  1. In the control panel, click Products in the top menu and select S3.
  2. Go to the SSL Certificates section.
  3. In the certificate line, click .
  4. Enter the certificate name and click Delete.