Skip to main content

TLS (SSL) Certificates for User Domains

To access objects in a bucket via a custom domain over HTTPS, you need to add a TLS (SSL) certificate. You can manage certificates via the Control Panel or User Certificates API.

You can issue a certificate with any provider. If you use Servercore DNS hosting, you can quickly issue a Let’s Encrypt certificate, but you must manually add the certificate after each Let’s Encrypt renewal.

A certificate is added at the country level: it will only work for buckets hosted in the region of the selected country.

One certificate can be active for a single domain. If multiple certificates are added for a domain, the last uploaded one will be active. If the active certificate is deleted or expires, the previous one will be automatically activated, provided it has not expired.

TLS Protocol

The Transport Layer Security (TLS) protocol is a newer version of the SSL protocol and is used in conjunction with the HTTP protocol. Using HTTP and TLS together ensures data encryption, authentication, and integrity.

For your information

We recommend using TLS protocol version 1.2 or higher. Versions below 1.2 are considered obsolete (see more on the IETF website) and have not been supported by S3 since May 1, 2023.

You can view the TLS version in use in the logs.

Learn more about configuring TLS version 1.2 in the Amazon documentation:

Add certificate

You can add up to 100 certificates per project.

  1. In the control panel, from the top menu, click Products and select S3.

  2. Go to the SSL Certificates section.

  3. Click Add certificate.

  4. Select the country for buckets in which the certificate will work.

  5. Enter a name for the certificate; it must be unique within the project.

  6. Add a primary certificate:

    -----BEGIN CERTIFICATE-----
    <certificate.crt>
    -----END CERTIFICATE-----

    Specify <certificate.crt> — the private key in PKCS#1 format.

  7. Add a private key:

    -----BEGIN PRIVATE KEY-----
    <private_key.key>
    -----END PRIVATE KEY-----

    Specify <private_key.key> — the private key in PKCS#1 format.

  8. Click Add certificate. The certificate will be activated within five minutes.

Certificate statuses

in progressThe certificate is being verified (up to five minutes). Upon successful verification, the status will change to active, or to error in case of an error
errorCertificate verification failed; hover over the status to see the reason. Fix the error, delete the certificate, and add it again.
activeCertificate is active
expiredThe certificate has expired. Delete the certificate and add a new one.

Delete certificate

You cannot delete certificates that are currently being added.

  1. In the control panel, from the top menu, click Products and select S3.
  2. Go to the SSL Certificates section.
  3. In the certificate row, click .
  4. Enter the certificate name and click Delete.