Cycle Logo

User-Supplied TLS Certificates

Cycle supports uploading user-supplied TLS certificates directly via the portal. User-supplied TLS certificates allow for domain certificates to be used on Cycle that were generated by a third party certificate authority other than Let's Encrypt.

To upload a user-supplied TLS certificate using the portal:

  1. Select DNS on the left menu.
  2. Select TLS from the dropdown.
  3. Select the "User Certificates" tab at the top of the page.
  4. Click "Upload TLS Certificate" in the upper-right hand side of the page.

This will open a dialog that contains the form for uploading a certificate.

upload user-supplied certificate

1. Enter a PEM-encoded Private Key

A PEM encoded TLS certificate will start with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----.

Encrypted private keys are not supported.

Example PEM-encoded Private Key

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDy5+5...
-----END PRIVATE KEY-----

2. Enter a PEM-encoded Certificate Bundle

A PEM encoded TLS certificate bundle will start with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. The bundle should be provided by the certificate authority used to generate it.

Example PEM-encoded Certificate Bundle

-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIUH4R+SU0PV...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFjzCCA3egAwIBAgIJAO/3UP6FQ...
-----END CERTIFICATE-----

3. Click "+ Add TLS Certificate"

Once the required fields have been filled in, click the + Add TLS Certificate button to add it to the hub registry.

4. Create a LINKED Record

Now that the certificate has been added to the hub registry, any LINKED record that matches an auto-detected domain from the certificate will automatically utilize it.

Create A LINKED Record with a domain specified in the certificate bundle, and check the "TLS Enabled" checkbox to enable TLS for that domain.

Rotating User Supplied TLS Certificates

Rotating certificates must be handled by the user as the platform has no way to automatically renew and uploaded certificate.

The appropriate pattern for rotating these certificates is:

  1. Upload a new certificate.

When the old certificate is 10 days away from expiring, the platform will look for a newer certificate to use.

To force the retirement of an existing certificate:

  1. Upload a new certificate.
  2. Deprecate the old certificate.

This will tell the platform to start looking for the replacement certificate as soon as possible.

Replace not Renew

The process of replacing/rotating certificates is not synonymous with automatically renewing a certificate. With user uploaded certificates, when the platform gets an indication its time to look for a new certificate there is no generation step. Therefore the user will not see a failure to generate error as they would with Cycle generated certificates.