API
CDN
CDN
For static filesFor the entire site
AWS S3B2evolutionClouldFlareConcrete5CraftCs-cartDjango CMSDrupalGoogle Cloud StorageIPBIPSJoomlaKirbyMagentoPerchPrestaShopPyroCMSSocialEngineTypo3vBulletinWebasyst
Gcore pluginRocket pluginW3 Total Cache pluginWP SuperCache plugin
X-CartXenForo
Add CDN servers to ACLHTTP/2
BillingCDN resources overview
Specify an originPrivate originEnable SSL ValidationCreate a custom domain (CNAME)SSL certificatesEnable shielding (paid)Suspend a CDN resource
Configure CDN cachingSet a redirect from an originConfigure browser cachingIgnore Set Cookie or Query stringUse stale cache if origin is unavailable
Manage access policiesRedirect from HTTP to HTTPS
OverviewConfigure and use
Specify HTTP methodsSet SNI hostname
GZip, BrotliFetch
Custom HTTP status codeLarge files deliveryRewriteWebSockets
Add request headersActivate CORSConfigure response headersManage the Host headerIdentify a user's request protocol
Network limits
Image stack overviewEnable Image stack
Convert to WebP or AVIFChange qualityCropResize
Streaming via CDN (for paid tariffs)Geo Balancer (for paid tariffs)
Create a ruleCreate a template for rulesSet robots.txt
Origin groupSSL certificatesPurgePrefetch
Raw Logs (paid)Log Viewer (free)
Reports
Grafana reportsTerraform
Content unavailabilityLow cache hit ratioLow content delivery speedAttaching or issuing an SSL certificate3xx codes4xx codes5xx codes
Support API
Home/CDN/SSL certificates

Add an SSL certificate to deliver content over HTTPS

What is an SSL certificate?

An SSL certificate is a unique digital signature for your website that provides a secure connection between a client and a server. It is essential when sensitive information is being transferred, and financial transactions are being carried out.

In Gcore, two types of SSL certificates are available:

1. Your own SSL certificate. You can re-issue a certificate for your domain from a third-party company and add its data to the control panel. 

2. Free Let's Encrypt certificate. You can issue a free Let's Encrypt certificate for your custom domain. All data will be added automatically. 

1. Your own SSL certificate

There are 2 ways to add a certificate: during resource creation and on the SSL Certificates page of your account.

Add an SSL certificate during resource creation

To add and bind a personal certificate during CDN resource creation:

1. In the Custom domain section enter your desired domain name.

2. In the SSL section, turn on the toggle for Enable HTTPS and select Add or select your own SSL certificate.

3. Click Add SSL certificate.

4. In the pop-up window, enter a certificate name, the certificate in PEM format, and the private key.

For help inserting the certificate and key contents, read How to insert an SSL certificate and a key correctly.

5. Click Add SSL certificate.

The certificate will be bound to the resource and added to the list of certificates in the SSL Certificates page.

Add an SSL certificate on the SSL certificates page

To add a personal certificate without binding to a resource:

1. Click SSL certificates in the side panel of the CDN service and click Add SSL certificate.

2. In the form that appears, enter a certificate name, the SSL certificate in PEM format, and the private key.

For help inserting the certificate and key contents, read How to insert an SSL certificate and a key correctly.

3. Click Create SSL Certificate.

The certificate will be displayed in the list of certificates in the SSL Certificates page. The SSL Certificates page contains a table that lists your personal certificates and associated information such as the ID, name, CDN resources connected to the certificate, and expiration date.

How to insert an SSL certificate and a key correctly

1. Open the certificate file in PEM format (.pem, .crt, or .cer) using a text editor like Notepad.

2. Copy and paste the certificate chain in this order: Personal certificate, Intermediate CA, Root CA.

3. All the contents of the certificate must be inserted into the Certificate field, including the tags -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

4. The certificate chain must be inserted together, similar to the following:

5. Make sure to add a new line at the end of the certificate chain.

6. Open the private key file (.key) using a text editor.

7. Copy and paste all of its contents into the Private key field, including the tags -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----.

8. Click Create SSL certificate.

The certificate will appear in the SSL Certificates page. If it is added during the resource creation process, the certificate will also be bound to the resource.

Attach an SSL certificate to a resource

A certificate added to the SSL Certificates page can be attached to a CDN resource while creating or editing it. To edit an existing resource:

1. Go to CDN and select the CDN resource you want to configure.

2. In the navigation panel, under the General section, click SSL.

3. In the SSL section, turn on the toggle for Enable HTTPS, and select Add or select your own SSL certificate.

4. Click the Select the certificate dropdown and select the certificate that you want to use.

5. Click Save changes.

Important: If a Let's Encrypt certificate is enabled for a resource, the certificate selector will not be displayed. To select a personal certificate, you must first revoke the Let's Encrypt certificate.

Renew an SSL certificate

There is no way to change the data of an added certificate, so when the certificate is nearing its expiration date, follow these steps:

1. Go to the SSL Certificates page and add a new certificate.

2. Go to the settings of the CDN resource you want to configure.

3. In the SSL section, select the new certificate from the dropdown menu.

4. Click Save changes and allow at least 15 minutes for the changes to take effect.

5. To verify that the SSL certificate has been correctly installed and bound to the resource, enter your CNAME into the browser (e.g., https://example.ru). Click the lock icon in the address bar, navigate to Connection is secure, and click Certificate is valid.

Compare the displayed certificate data with the certificate data you just installed. If the settings are match, you can safely delete the old certificate from the SSL Certificates page.

Note: Delete the old certificate only after making sure that your content is being delivered using the new certificate. If you delete the old certificate too soon, content delivery will be interrupted.

SSL certificates expiration notifications

When your added certificates are about to expire, a notification is displayed in your account, and is sent to the email addresses of the Administrator and Engineer.

Users are notified by email:

  • 14 days before the certificate expires
  • 7 days before the certificate expires
  • On the day of the certificate's expiration

When you log in to your account, you will see a reminder about the expiration of the certificate.

The SSL certificates in the side panel will also be marked with an exclamation point if there are already expired certificates or those that will expire within the next 14 days:

In the certificates table, warning signs will also appear next to the certificates that need attention.

  • If the certificate has already expired:
  • If the certificate is due to expire in 14 days or less:

Note: Certificates issued by Let's Encrypt are automatically renewed, so there are no expiration notifications for such certificates.

Delete an SSL certificate

To delete a certificate, click the three dots icon next to the certificate, then click Delete.

Note: It is not possible to delete certificates that are in use by CDN resources. If you want to delete the certificate, you must first replace it with another certificate in the CDN Resource Settings.

2. Let's Encrypt certificate

If you do not have your own SSL certificate, you can activate the free Let's Encrypt certificate in your account.

Activate a Let's Encrypt certificate

1. Use a custom domain name for your resource.

2. In the SSL section, turn on the toggle for Enable HTTPS, and select Get free Let's Encrypt certificate.

The certificate issuance may take up to 30 minutes. During this time, please do not:

  • disable the HTTPS option,
  • select another certificate,
  • interrupt the issuance of the current certificate.

Important:

  • The time it takes to issue a certificate varies depending on when the CDN resource was created. If you are requesting a certificate for a recently created resource, it may take up to 30 minutes as the configuration has not yet been fully propagated to all CDN servers. However, if the resource's configuration has already been fully propagated, issuing a Let's Encrypt certificate will only take a few minutes.

  • Let's Encrypt requires placing a temporary file at the URL http://<CNAME>/.well-known/acme-challenge/<TOKEN> and making HTTP requests to this file. Before adding a Let's Encrypt certificate, make sure that your CDN resource does not have any rules that block these requests. Examples of such rules include:

    • A rule with /*. This rule will catch any strings and override the hidden rule that is necessary to obtain a certificate.
    • A rule with ((?!(jpeg|gif|png|pdf|jpg|css|js|woff|woff2|ttf)).)*$. This rule will catch all non-static files.

You can check your resource rules using the service regex1. If you find a rule that blocks Let's Encrypt certificate issuance, delete the rule or change its pattern. The next time Let's Encrypt sends a request, the certificate issuance should be successful.

If an error occurs during certificate issuance, the Enable HTTPS toggle will be disabled and a notification will be sent to your email.

While the resource is active, the certificate is renewed automatically. An attempt to reissue the certificate will be made 30 days before the expiration of the current certificate. There is only one attempt to reissue the certificate. If the certificate is not reissued, a notification will be sent to your email.

In the event of an unsuccessful attempt to reissue a certificate, the current certificate will remain active for another 30 days. After the certificate's end date, the content will become unavailable via HTTPS.

To avoid interruption of content delivery, please reissue the certificate yourself. To do this, revoke the Let's Encrypt certificate in your account and then .

Revoke a Let's Encrypt certificate

To revoke a certificate, go to the Resource Settings and click Revoke Let's Encrypt certificate in the SSL section.

Note: You can also use an API request to replace the Let's Encrypt certificate with your own certificate without having to revoke it.

Restrictions and features of the option

  • A wildcard domain cannot be issued a certificate.
  • If a Let's Encrypt certificate is issued, the certificate selector will not be displayed in the resource settings. Personal certificates will become available for selection after revoking Let's Encrypt.
  • A Let's Encrypt certificate will not be displayed on the SSL Certificates page.
  • A certificate is only visible in the settings of the resource for which it is issued.
  • Issuing and revoking a Let's Encrypt certificate does not require saving the Resource Settings.
  • If you are using DNS Cloudflare, be sure not to set the CNAME Flattering option to Flatten all CNAMEs. This will cause Cloudflare to return an A-record instead of a CNAME, which will prevent the issuance of a Let's Encrypt certificate. To successfully issue a Let's Encrypt certificate, set the CNAME Flattering option to Flatten CNAME at root.

Was this article helpful?

Not a Gcore user yet?

Learn more about our next-gen CDN

Go to the product page
Edit on GitHub