Vue Storefront is now Alokai! Learn More
Custom TLS certificates

Custom TLS certificates

The documentation only applies to instances deployed on Alokai@Edge.

Custom TLS certificates allow you to use and manage your own certificates instead of certificates managed by Alokai.

After uploading a certificate, the Console parses it and lists all domains (including wildcard domains) included in the certificate.

Understand certificate behavior

Certificates are managed at the organization level and can be reused across multiple instances and domains.

Activation model

  • Uploading a certificate does not activate it or make it available for domains.
  • A certificate must be activated for a domain before it can be used.

Limitations when removing

  • A private key cannot be removed while used by any certificate.
  • A certificate cannot be removed if it has any activation.

Meet certificate requirements

Before adding a certificate, upload the corresponding private key.

A certificate will be accepted only if:

  • the private key exists in the organization
  • the certificate and private key form a matching pair
  • the private key length is exactly 2048 bits
  • the certificate is valid (not expired)
  • the certificate remains valid for at least 30 days from the date of upload
  • the certificate contains appropriate SAN entries (domains or wildcards)

Certificates that do not meet these conditions are rejected.

Activate certificates

To make a certificate available for a domain:

  1. Activate the certificate for one or more domains.

A certificate must be activated before it can be used with a domain.

Activation does not require selecting the certificate during domain configuration. The platform determines which certificate is used based on active domain activations.

Use certificates with domains

To use a certificate for traffic, the domain must be configured as a Custom Domain using a custom certificate.

The typical flow is:

  1. Upload a certificate.
  2. Activate the certificate for a domain.
  3. Add the domain as a Custom Domain.

The certificate used for a domain is determined automatically based on its activation.

Check activation states

Each domain in a certificate can have one of the following states:

StateDescription
Active and usedThe certificate is active and used by a Custom Domain
Active (not used)The certificate is active but not currently used by any Custom Domain
InactiveThe certificate is not active for this domain

A certificate activation cannot be removed if the domain is configured as a Custom Domain using a custom certificate.

Remove certificates

A certificate can only be removed if it does not have any active domain activations.

Before removing a certificate:

  1. Remove domains from Custom Domains or switch them to a managed certificate.
  2. Ensure no activations remain for the certificate.
  3. Delete the certificate.

Renew certificates

Certificates must be renewed before expiration to maintain secure traffic.

Renew with the same provider

If the certificate is renewed with the same provider:

  • the certificate content is updated
  • the private key remains the same

To update the certificate:

  1. Edit the existing certificate
  2. Replace its content with the renewed certificate

No additional steps are required.

Renew with a different provider

If the certificate is renewed with a different provider:

  • a new certificate must be uploaded
  • a new private key is required

Recommended flow:

  1. Upload the new certificate and private key
  2. Activate the new certificate for the required domains

Previous activations for those domains will be automatically replaced.

Manage wildcard certificates

Wildcard certificates apply to multiple subdomains.

Activating or deactivating a wildcard certificate affects all covered subdomains.

Changes to wildcard certificates should be applied carefully, as they may impact multiple domains at once.

Check certificate status

Certificates can have the following statuses:

  • Valid – the certificate is active and not expired
  • Expiring – the certificate is approaching expiration
  • Expired – the certificate is no longer valid

Expired certificates cannot be used for active domains.

Avoid common issues

  • Activating a certificate does not enable it for traffic — the domain must be configured as a Custom Domain using a custom certificate.
  • Removing a certificate requires all associated domains to be removed or switched to a managed certificate first.
  • When renewing with a different provider, activating a new certificate replaces the previous certificate for that domain.