[{"data":1,"prerenderedAt":678},["ShallowReactive",2],{"blog-how-to/custom-domain-ssl":3},{"id":4,"title":5,"body":6,"category":652,"date":653,"dateModified":653,"description":654,"draft":655,"extension":656,"faq":657,"featured":655,"headerVariant":664,"image":665,"keywords":665,"meta":666,"navigation":667,"ogDescription":668,"ogTitle":665,"path":669,"readTime":665,"schemaOrg":670,"schemaType":671,"seo":672,"sitemap":673,"stem":674,"tags":675,"twitterCard":676,"__hash__":677},"blog/blog/how-to/custom-domain-ssl.md","How to Set Up SSL for Custom Domains",{"type":7,"value":8,"toc":611},"minimark",[9,13,17,21,35,40,56,60,82,98,129,135,139,154,165,189,199,203,212,227,242,251,255,267,282,294,298,376,380,385,417,421,433,445,457,474,478,482,488,492,498,502,508,512,518,522,528,579,587],[10,11],"category-badge",{"category":12},"How-To Guide",[14,15,5],"h1",{"id":16},"how-to-set-up-ssl-for-custom-domains",[18,19,20],"p",{},"Configure HTTPS for your custom domain on any platform",[22,23,24,27],"tldr",{},[18,25,26],{},"TL;DR (15 minutes):",[18,28,29,30,34],{},"Add your domain in the platform dashboard, configure DNS records (CNAME for subdomains, A record for root), wait for DNS propagation, and the platform auto-provisions your SSL certificate. Most issues are DNS-related - verify with ",[31,32,33],"code",{},"dig"," before troubleshooting SSL.",[36,37,39],"h2",{"id":38},"prerequisites","Prerequisites",[41,42,43,47,50,53],"ul",{},[44,45,46],"li",{},"A registered domain name with access to DNS settings",[44,48,49],{},"Your app deployed on Vercel, Netlify, Cloudflare Pages, or similar platform",[44,51,52],{},"Domain registrar login credentials",[44,54,55],{},"About 15 minutes (plus DNS propagation time)",[36,57,59],{"id":58},"vercel-custom-domain-ssl","Vercel Custom Domain SSL",[61,62,64,69,72],"step",{"number":63},"1",[65,66,68],"h3",{"id":67},"add-domain-in-vercel-dashboard","Add domain in Vercel dashboard",[18,70,71],{},"Go to your project > Settings > Domains > Add Domain",[73,74,79],"pre",{"className":75,"code":77,"language":78},[76],"language-text","# Enter your domain:\nyourdomain.com\n\n# Vercel will show required DNS records\n","text",[31,80,77],{"__ignoreMap":81},"",[61,83,85,89,92],{"number":84},"2",[65,86,88],{"id":87},"configure-dns-records","Configure DNS records",[18,90,91],{},"Add these records at your DNS provider:",[73,93,96],{"className":94,"code":95,"language":78},[76],"# For root domain (yourdomain.com)\nType: A\nName: @\nValue: 76.76.21.21\n\n# For www subdomain\nType: CNAME\nName: www\nValue: cname.vercel-dns.com\n\n# Vercel also supports AAAA records for IPv6:\nType: AAAA\nName: @\nValue: 2606:4700:4400::6812:2b21\n",[31,97,95],{"__ignoreMap":81},[61,99,101,105,108],{"number":100},"3",[65,102,104],{"id":103},"wait-for-verification","Wait for verification",[18,106,107],{},"Vercel checks DNS automatically. The dashboard shows status:",[41,109,110,117,123],{},[44,111,112,116],{},[113,114,115],"strong",{},"Pending Verification"," - DNS not yet detected, wait for propagation",[44,118,119,122],{},[113,120,121],{},"Valid Configuration"," - DNS correct, SSL provisioning",[44,124,125,128],{},[113,126,127],{},"Certificate Issued"," - HTTPS ready",[130,131,132],"tip-box",{},[18,133,134],{},"Vercel Tip:\nEnable \"Redirect to Primary Domain\" in domain settings to automatically redirect www to non-www (or vice versa) with proper SSL.",[36,136,138],{"id":137},"netlify-custom-domain-ssl","Netlify Custom Domain SSL",[61,140,141,145,148],{"number":63},[65,142,144],{"id":143},"add-domain-in-netlify","Add domain in Netlify",[18,146,147],{},"Go to Site settings > Domain management > Add custom domain",[73,149,152],{"className":150,"code":151,"language":78},[76],"# Add both:\nyourdomain.com\nwww.yourdomain.com\n",[31,153,151],{"__ignoreMap":81},[61,155,156,159],{"number":84},[65,157,88],{"id":158},"configure-dns-records-1",[73,160,163],{"className":161,"code":162,"language":78},[76],"# Option A: Use Netlify DNS (recommended)\n# Transfer nameservers to Netlify for automatic configuration\n\n# Option B: External DNS\n# For root domain - use A record:\nType: A\nName: @\nValue: 75.2.60.5\n\n# For www - use CNAME:\nType: CNAME\nName: www\nValue: your-site-name.netlify.app\n\n# Netlify also provides load-balanced IPs - check dashboard for current values\n",[31,164,162],{"__ignoreMap":81},[61,166,167,171,174,186],{"number":100},[65,168,170],{"id":169},"provision-ssl-certificate","Provision SSL certificate",[18,172,173],{},"After DNS verification:",[175,176,177,180,183],"ol",{},[44,178,179],{},"Go to Site settings > Domain management > HTTPS",[44,181,182],{},"Click \"Verify DNS configuration\"",[44,184,185],{},"Click \"Provision certificate\"",[18,187,188],{},"Netlify uses Let's Encrypt and handles renewal automatically.",[61,190,192,196],{"number":191},"4",[65,193,195],{"id":194},"enable-https-redirect","Enable HTTPS redirect",[18,197,198],{},"In Site settings > Domain management > HTTPS, enable \"Force HTTPS\"",[36,200,202],{"id":201},"cloudflare-pages-custom-domain-ssl","Cloudflare Pages Custom Domain SSL",[61,204,205,209],{"number":63},[65,206,208],{"id":207},"add-domain-to-cloudflare-if-not-already","Add domain to Cloudflare (if not already)",[18,210,211],{},"Your domain should use Cloudflare nameservers for easiest setup.",[61,213,214,218,221],{"number":84},[65,215,217],{"id":216},"add-custom-domain-to-pages-project","Add custom domain to Pages project",[18,219,220],{},"Go to Pages > Your project > Custom domains > Set up a custom domain",[73,222,225],{"className":223,"code":224,"language":78},[76],"# Enter your domain:\nyourdomain.com\n\n# Cloudflare automatically creates DNS records\n",[31,226,224],{"__ignoreMap":81},[61,228,229,233,236],{"number":100},[65,230,232],{"id":231},"configure-ssltls-mode","Configure SSL/TLS mode",[18,234,235],{},"In your domain's SSL/TLS settings, set encryption mode to \"Full (strict)\"",[73,237,240],{"className":238,"code":239,"language":78},[76],"# SSL/TLS encryption modes:\n# - Off: No encryption (never use this)\n# - Flexible: HTTPS to Cloudflare, HTTP to origin (security risk!)\n# - Full: HTTPS everywhere, accepts self-signed certs\n# - Full (strict): HTTPS everywhere, requires valid certificate (recommended)\n",[31,241,239],{"__ignoreMap":81},[243,244,245,248],"warning-box",{},[18,246,247],{},"Cloudflare SSL Mode Warning:",[18,249,250],{},"Never use \"Flexible\" mode - it creates a false sense of security. Users see HTTPS but data between Cloudflare and your origin is unencrypted. Always use \"Full (strict)\".",[36,252,254],{"id":253},"awsroute-53-cloudfront","AWS/Route 53 + CloudFront",[61,256,257,261],{"number":63},[65,258,260],{"id":259},"request-certificate-in-acm","Request certificate in ACM",[73,262,265],{"className":263,"code":264,"language":78},[76],"# AWS Certificate Manager (ACM) - must use us-east-1 for CloudFront\naws acm request-certificate \\\n  --domain-name yourdomain.com \\\n  --subject-alternative-names www.yourdomain.com \\\n  --validation-method DNS \\\n  --region us-east-1\n",[31,266,264],{"__ignoreMap":81},[61,268,269,273,276],{"number":84},[65,270,272],{"id":271},"validate-domain-ownership","Validate domain ownership",[18,274,275],{},"Add the CNAME records ACM provides to your DNS:",[73,277,280],{"className":278,"code":279,"language":78},[76],"# ACM provides records like:\nType: CNAME\nName: _abc123.yourdomain.com\nValue: _xyz789.acm-validations.aws\n",[31,281,279],{"__ignoreMap":81},[61,283,284,288],{"number":100},[65,285,287],{"id":286},"configure-cloudfront-distribution","Configure CloudFront distribution",[73,289,292],{"className":290,"code":291,"language":78},[76],"# In CloudFront distribution settings:\n# - Alternate domain names (CNAMEs): yourdomain.com, www.yourdomain.com\n# - Custom SSL certificate: Select your ACM certificate\n# - SSL/TLS protocol: TLSv1.2_2021 (minimum)\n# - HTTPS redirect: Yes\n",[31,293,291],{"__ignoreMap":81},[36,295,297],{"id":296},"dns-records-reference","DNS Records Reference",[299,300,301,317],"table",{},[302,303,304],"thead",{},[305,306,307,311,314],"tr",{},[308,309,310],"th",{},"Platform",[308,312,313],{},"Root Domain (A Record)",[308,315,316],{},"Subdomain (CNAME)",[318,319,320,332,343,354,365],"tbody",{},[305,321,322,326,329],{},[323,324,325],"td",{},"Vercel",[323,327,328],{},"76.76.21.21",[323,330,331],{},"cname.vercel-dns.com",[305,333,334,337,340],{},[323,335,336],{},"Netlify",[323,338,339],{},"75.2.60.5",[323,341,342],{},"your-site.netlify.app",[305,344,345,348,351],{},[323,346,347],{},"Cloudflare Pages",[323,349,350],{},"(automatic via Cloudflare DNS)",[323,352,353],{},"your-project.pages.dev",[305,355,356,359,362],{},[323,357,358],{},"GitHub Pages",[323,360,361],{},"185.199.108.153",[323,363,364],{},"username.github.io",[305,366,367,370,373],{},[323,368,369],{},"Render",[323,371,372],{},"(varies by service)",[323,374,375],{},"your-service.onrender.com",[36,377,379],{"id":378},"security-checklist","Security Checklist",[381,382,384],"h4",{"id":383},"custom-domain-ssl-checklist","Custom Domain SSL Checklist",[41,386,387,390,393,396,399,402,405,408,411,414],{},[44,388,389],{},"Domain added to hosting platform",[44,391,392],{},"DNS records configured correctly (A and/or CNAME)",[44,394,395],{},"DNS propagation complete (verified with dig)",[44,397,398],{},"SSL certificate provisioned and valid",[44,400,401],{},"HTTPS redirect enabled (HTTP to HTTPS)",[44,403,404],{},"Both www and non-www domains configured",[44,406,407],{},"Primary domain redirect configured",[44,409,410],{},"HSTS header added for security",[44,412,413],{},"Old certificates revoked if migrating",[44,415,416],{},"CAA record set (optional but recommended)",[36,418,420],{"id":419},"how-to-verify-it-worked","How to Verify It Worked",[61,422,423,427],{"number":63},[65,424,426],{"id":425},"check-dns-propagation","Check DNS propagation",[73,428,431],{"className":429,"code":430,"language":78},[76],"# Check A record\ndig yourdomain.com A +short\n\n# Check CNAME record\ndig www.yourdomain.com CNAME +short\n\n# Use online tool for global propagation:\n# https://www.whatsmydns.net/\n",[31,432,430],{"__ignoreMap":81},[61,434,435,439],{"number":84},[65,436,438],{"id":437},"verify-certificate","Verify certificate",[73,440,443],{"className":441,"code":442,"language":78},[76],"# Check certificate details\necho | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -subject -issuer -dates\n\n# Check certificate chain\necho | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -text | grep -A1 \"Issuer\"\n",[31,444,442],{"__ignoreMap":81},[61,446,447,451],{"number":100},[65,448,450],{"id":449},"test-https-redirect","Test HTTPS redirect",[73,452,455],{"className":453,"code":454,"language":78},[76],"# Should redirect to HTTPS\ncurl -I http://yourdomain.com\n\n# Expected response:\n# HTTP/1.1 301 Moved Permanently\n# Location: https://yourdomain.com/\n",[31,456,454],{"__ignoreMap":81},[61,458,459,463],{"number":191},[65,460,462],{"id":461},"run-ssl-test","Run SSL test",[18,464,465,466,473],{},"Use ",[467,468,472],"a",{"href":469,"rel":470},"https://www.ssllabs.com/ssltest/",[471],"nofollow","SSL Labs"," to verify configuration. Aim for grade A or higher.",[36,475,477],{"id":476},"common-errors-and-troubleshooting","Common Errors and Troubleshooting",[65,479,481],{"id":480},"certificate-pending-for-too-long","Certificate pending for too long",[73,483,486],{"className":484,"code":485,"language":78},[76],"# DNS not configured correctly - verify records:\ndig yourdomain.com A +short\n# Should return the platform's IP\n\ndig www.yourdomain.com CNAME +short\n# Should return the platform's CNAME target\n\n# If wrong, update DNS and wait for propagation (can take up to 48h)\n# Check propagation status:\n# https://www.whatsmydns.net/\n",[31,487,485],{"__ignoreMap":81},[65,489,491],{"id":490},"err_cert_common_name_invalid","ERR_CERT_COMMON_NAME_INVALID",[73,493,496],{"className":494,"code":495,"language":78},[76],"# Certificate doesn't match the domain you're visiting\n# Causes:\n# 1. Domain not added to platform's custom domains\n# 2. Certificate not yet provisioned\n# 3. Visiting wrong domain variant (www vs non-www)\n\n# Solution: Ensure domain is added and certificate is issued in platform dashboard\n",[31,497,495],{"__ignoreMap":81},[65,499,501],{"id":500},"ssl-certificate-not-trusted","SSL certificate not trusted",[73,503,506],{"className":504,"code":505,"language":78},[76],"# Check certificate chain is complete:\nopenssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | grep -i verify\n\n# If you see \"Verify return code: 21 (unable to verify the first certificate)\"\n# The intermediate certificates are missing - usually a platform issue\n# Contact support or re-provision the certificate\n",[31,507,505],{"__ignoreMap":81},[65,509,511],{"id":510},"mixed-www-and-non-www-redirect-issues","Mixed www and non-www redirect issues",[73,513,516],{"className":514,"code":515,"language":78},[76],"# Both domains should work and redirect to one primary\n# In Vercel: Settings > Domains > Redirect to primary domain\n# In Netlify: Domain management > Primary domain\n\n# Test both:\ncurl -I http://yourdomain.com\ncurl -I http://www.yourdomain.com\ncurl -I https://yourdomain.com\ncurl -I https://www.yourdomain.com\n\n# All should eventually redirect to your primary HTTPS domain\n",[31,517,515],{"__ignoreMap":81},[65,519,521],{"id":520},"caa-record-blocking-certificate-issuance","CAA record blocking certificate issuance",[73,523,526],{"className":524,"code":525,"language":78},[76],"# Check for CAA records:\ndig yourdomain.com CAA\n\n# If CAA records exist, they must allow your certificate authority\n# For Let's Encrypt (used by Vercel, Netlify):\nType: CAA\nName: @\nValue: 0 issue \"letsencrypt.org\"\n\n# To allow any CA (remove restrictions):\n# Delete all CAA records\n",[31,527,525],{"__ignoreMap":81},[529,530,531,538,550,556,562],"faq-section",{},[532,533,535],"faq-item",{"question":534},"How long does SSL certificate provisioning take?",[18,536,537],{},"After DNS is properly configured, SSL certificates typically provision within 1-10 minutes on most platforms. If DNS was recently changed, wait for propagation (up to 48 hours, usually much faster - often within 15 minutes to an hour).",[532,539,541],{"question":540},"Should I use CNAME or A records?",[18,542,543,544,549],{},"Use CNAME for subdomains (",[467,545,548],{"href":546,"rel":547},"http://www.domain.com",[471],"www.domain.com",") and A/AAAA records for root domains (domain.com). Root domains cannot use standard CNAME records. Some DNS providers support CNAME flattening or ALIAS records for root domains which can be used instead.",[532,551,553],{"question":552},"Can I use my own SSL certificate instead of the platform's?",[18,554,555],{},"Most platforms allow custom certificates on paid plans. However, using the platform's automatic SSL is recommended as it handles renewal automatically and is properly configured. Custom certificates are useful for EV certificates or specific compliance requirements.",[532,557,559],{"question":558},"Do I need to configure SSL for both www and non-www?",[18,560,561],{},"Yes, add both domains to your platform. Configure one as the primary and set up redirects from the other. Both need valid SSL certificates to properly redirect HTTPS requests.",[532,563,565],{"question":564},"Why is my custom domain showing the wrong site?",[18,566,567,568,571,572,575,576,578],{},"DNS might be cached or still pointing to an old server. Clear your local DNS cache (",[31,569,570],{},"ipconfig /flushdns"," on Windows, ",[31,573,574],{},"sudo dscacheutil -flushcache"," on Mac) and verify DNS with ",[31,577,33],{}," or an online tool.",[580,581,584],"cta-box",{"href":582,"label":583},"/","Start Free Scan",[18,585,586],{},"Run a free security scan to check your custom domain's SSL configuration.",[588,589,590,596,601,606],"related-articles",{},[591,592],"related-card",{"description":593,"href":594,"title":595},"Complete guide to enabling HTTPS with Let's Encrypt and manual configuration.","/blog/how-to/https-setup","How to Set Up HTTPS",[591,597],{"description":598,"href":599,"title":600},"Find and fix HTTP resources breaking your HTTPS security.","/blog/how-to/mixed-content-fix","Fix Mixed Content Warnings",[591,602],{"description":603,"href":604,"title":605},"Set up automatic renewal and monitor certificate expiration.","/blog/how-to/certificate-renewal","SSL Certificate Renewal",[591,607],{"description":608,"href":609,"title":610},"Configure environment variables for your Vercel deployments.","/blog/how-to/vercel-env-vars","Vercel Environment Variables",{"title":81,"searchDepth":612,"depth":612,"links":613},2,[614,615,621,627,632,637,638,639,645],{"id":38,"depth":612,"text":39},{"id":58,"depth":612,"text":59,"children":616},[617,619,620],{"id":67,"depth":618,"text":68},3,{"id":87,"depth":618,"text":88},{"id":103,"depth":618,"text":104},{"id":137,"depth":612,"text":138,"children":622},[623,624,625,626],{"id":143,"depth":618,"text":144},{"id":158,"depth":618,"text":88},{"id":169,"depth":618,"text":170},{"id":194,"depth":618,"text":195},{"id":201,"depth":612,"text":202,"children":628},[629,630,631],{"id":207,"depth":618,"text":208},{"id":216,"depth":618,"text":217},{"id":231,"depth":618,"text":232},{"id":253,"depth":612,"text":254,"children":633},[634,635,636],{"id":259,"depth":618,"text":260},{"id":271,"depth":618,"text":272},{"id":286,"depth":618,"text":287},{"id":296,"depth":612,"text":297},{"id":378,"depth":612,"text":379},{"id":419,"depth":612,"text":420,"children":640},[641,642,643,644],{"id":425,"depth":618,"text":426},{"id":437,"depth":618,"text":438},{"id":449,"depth":618,"text":450},{"id":461,"depth":618,"text":462},{"id":476,"depth":612,"text":477,"children":646},[647,648,649,650,651],{"id":480,"depth":618,"text":481},{"id":490,"depth":618,"text":491},{"id":500,"depth":618,"text":501},{"id":510,"depth":618,"text":511},{"id":520,"depth":618,"text":521},"how-to","2026-01-12","Step-by-step guide to configuring SSL certificates for custom domains on Vercel, Netlify, and Cloudflare. Includes DNS configuration and troubleshooting.",false,"md",[658,660,662],{"question":534,"answer":659},"After DNS is properly configured, SSL certificates typically provision within 1-10 minutes on most platforms. If DNS was recently changed, wait for propagation (up to 48 hours, usually faster).",{"question":540,"answer":661},"Use CNAME for subdomains (www.domain.com) and A/AAAA records for root domains (domain.com). Some DNS providers support CNAME flattening or ALIAS records for root domains.",{"question":552,"answer":663},"Most platforms allow custom certificates on paid plans. However, using the platform's automatic SSL is recommended as it handles renewal automatically and is properly configured.","yellow",null,{},true,"Configure SSL certificates for custom domains on popular hosting platforms.","/blog/how-to/custom-domain-ssl","[object Object]","HowTo",{"title":5,"description":654},{"loc":669},"blog/how-to/custom-domain-ssl",[],"summary_large_image","pwKYtmeD0tumbwOVoqo6z4tOsqn18tIAy6MkQLuhW4Q",1775843928451]