Skip to content

Supplying a Custom SSL Certificate

Two files, server.pem and server.key, are shipped with offline bundles and downloaded by online bundles during an update.

The certificate we provide is signed by us, Vector 35. If you're okay with the occasional "invalid certificate" warning in your web browser, there's no need to replace it. If, however, you wish to use your own SSL certificate, there are some restrictions you should be aware of.


The certificate we provide is valid for all hostnames.

Removing TLS

You can remove TLS with the --no-tls flag. Importantly, this will not let you run a server over HTTP as clients require TLS. This can, however, let you run the Enterprise server behind a proxy successfully.

Certificate Restrictions


Clients will be unable to connect to a server that is using a certificate from a CA (other than Vector 35) that is not in their trust store.

The restrictions on certificates are as follows:

  • Must be valid PEM format
  • Intermediate certificates, if any, must follow the primary certificate in this file
  • Must be signed by either:
    • Vector 35
    • Any CA trusted by all clients
  • Must be valid for the hostname used by clients

The restrictions on keys are as follows:

  • Must be valid PEM format
  • Must not require a password

Using the Custom Certificate

Once you have your certificate and key file in the correct format, using them is as easy as passing the relevant options for the location of the certificate and key when running the server.

This is an example, assuming your files from above are named your_cert.pem and your_cert.key:

./manage_server start -c your_cert.pem -k your_cert.key --detach