Managing SSL Certificates
Each time you create a new deployment, you will get a new unique subdomain. For this address (just like for the custom domains you've added using
now alias or
now alias), we're automatically provisioning an SSL certificate for you.
You can read more about how exactly the certificate provisioning works here. If you're interested in knowing which browsers the certificates are compatible with, this might also be of interest to you. At last, this document describes how the certificates work per se.
Let's take a look at how you can use Now's command line interface to manage your existing certificates and even upload new ones. In the following examples,
zeit.rocks represents the domain you'd like to modify.
Lists all certificates owned and created by the user. All certificate entries ever created will remain there in the list, as long as the user still owns the domain associated with the certificate. The actual certificates may, however, change over time. For example, we periodically renew all the certificates created with the API.
Allows you to create a new certificate for any domain you have access to and have registered with now. There shouldn't be much real use for this command and it's mainly provided for symmetry, though you may want to use it for creating a certificate entry for a subdomain in advance, before creating an alias using the domain.
The command can be used to upload a certificate issued by a 3rd party Certificate Authority. It requires you to already have an alias with an automatic certificate in place. You can use it like this:
Keep in mind:
--ca ca_chain.crt is optional but needed if your certificate provider is not considered as a root Certificate Authority by web browsers and operating systems (which is usually the case). This file is usually provided by the Certificate Authority you're using.
When automatic certificate renewal fails, we will send you a notification email. Here are some possible reasons:
- The domain is no longer used in Now
- A CAA record permitting issuing a certificate is missing or is invalid
- Other DNS records are missing or invalid
- HTTP requests are being redirected to HTTPS (for example when using Cloudflare)
As of version 0.6.0, now-client comes with API wrappers for managing the certificates bound to aliases using a custom domain.
Normally, when a user created an alias with Now command line utility, we automatically issued a certificate for it (as previously described in this post). So technically, the API endpoint was already there. But until recently, it only supported issuing new certificates. By now, it also supports renewal, removal, and replacement.
The endpoint is called
/now/certs and available in our REST API.