I'm pleased to announce the immediate availability of Wildcard Certificates on Now. Starting today, every time you use now alias we'll automatically provision a wildcard certificate for your domain.
What does this mean for you?
  • Instant aliasing when introducing new subdomains that match a wildcard certificate
  • Less management: now certs ls becomes a lot leaner.
  • Improved 404 pages for unknown subdomains (no SSL errors)
  • A more flexible certificates API
Previously, whenever you would alias a deployment to a custom domain…
now alias <deployment> my.custom.domain.com
… we would instantly issue a certificate on your behalf for my.custom.domain.com.
Starting today, if your domain is configured to use the ZEIT World DNS, we will issue a certificate for *.custom.domain.com automatically instead.

If you run now alias we automatically create your wildcard cert

This means now alias gets faster for subsequent subdomains you add, since we no longer need to create new certificates on-demand. Our CLI and load balancers have been upgraded to look for the wildcard certificate when a specific certificate doesn't match.
Notably, this is completely backwards compatible. The next time you run now alias we'll attempt to generate a wildcard certificate and re-use it for subsequent invocations.
Aside from a much faster now alias process, this also opens up very interesting new possibilities.
As an example, you can have your CI / CD processes alias commit identifiers from source control (like Git) to staging domains. You can dynamically deploy a commit (e3cd2b1) and instantly alias it (e3cd2b1.staging.mydomain.com) with no additional latency.
When you generate an alias for mydomain.com, we actually issue a single certificate that combines two Common Names:
  • mydomain.com
  • *.mydomain.com
This means that one certificate can be used to secure the traffic for the base domain and all its subdomains.
We've improved the look of now certs ls to reflect this:

Multiple Common Names are now listed in now certs ls

Before, when one of your users would go to a subdomain that didn't exist, they would get an SSL error. This is because by default we configure a wildcard DNS CNAME record so that *.mydomain.com goes to our load balancers (alias.zeit.co).
Thanks to wildcard certificates, we now render proper 404 pages and clients can process the HTTP response with its status code.
We have bumped our /now/certs API endpoint to v3, with the following improvements:
  • The Common Name field now accepts wildcard domains
  • Whenever a domain is renewed, we don't replace the previous certificate. We always issue new ones, and our load balancers intelligently pick.
  • Deletion no longer works based on domain name, since a domain can actually be present in multiple certificates. Instead, you delete by suppling the certificate id. In the future, we plan to empower you to define what certificate is preferred for a certain domain or subdomain.
For more details, refer to the API changelog or the documentation for the certs endpoint.
As part of the introduction of this featureset, we completely revamped the codebase of the alias and certs subcommands.
They're faster, leaner and more robust than ever before.
To get started, just run npm i -g now or head to our Download page for all the available installation methods.
Wildcard certificate issuance is now live on the latest Now 11.1.0 stable client. The v3 API is likewise globally available today.
We are very happy about some key features this relatively low-level change enables. Some, like we mentioned above, you can start taking advantage of immediately.
We are also working on some interesting features on top of this technology on our end. Follow us to stay on top of the latest.