Skip to main content
TLS (SSL) certificates for user domains
Last update:

TLS (SSL) certificates for user domains

To access objects in the container via a custom domain over HTTPS, you must add a TLS (SSL) certificate. You can manage certificates through the control panel or Selectel Storage API.

You can issue a certificate from any provider. If you use Selectel DNS hosting, you can quickly issue a Let's Encrypt certificate, but you must add a certificate manually after each Let's Encrypt reissue.

The certificate is added at the country level: it will only work for containers placed in the region of the selected country.

One certificate can be active for one domain.If several certificates are added for a domain, the last one loaded will be active.If the active certificate is deleted or expires, the previous one will be automatically activated, but only if it has not expired.

TLS protocol

The Transport Layer Security (TLS) protocol is a new version of the SSL protocol and is used together with the HTTP protocol. When HTTP and TLS are used together, encryption, authentication and data integrity are ensured.

For your information

We recommend using TLS protocol version 1.2 and higher. Versions lower than 1.2 are considered deprecated (see IETF website for details) and are not supported by the object store as of May 1, 2023.

You can see the version of TLS being used in the logs.

Learn more about setting up TLS version 1.2 in Amazon's documentation:

Add a certificate

Up to 100 certificates can be added as part of the project.

  1. In the Control Panel, on the top menu, click Products and select Object Storage.

  2. Go to the SSL Certificates section.

  3. Click Add Certificate.

  4. Select the country for containers in which the certificate will work.

  5. Enter a name for the certificate, it must be unique within the project.

  6. Add a master certificate:

    -----BEGIN CERTIFICATE-----
    <certificate.crt>
    -----END CERTIFICATE-----

    Specify <certificate.crt> — private key in PKCS#1 format.

  7. Add a private key:

    -----BEGIN PRIVATE KEY-----
    <private_key.key>
    -----END PRIVATE KEY-----

    Specify <private_key.key> — private key in PKCS#1 format.

  8. Click Add Certificate. The certificate is activated within five minutes.

Certificate statuses

in progressThe certificate is validated (up to five minutes). In case of successful verification the status will change to active, and in case of error — to error
errorCertificate validation ended with an error, hover over the status to view the reason. Correct the error, delete the certificate and add it again
activeThe certificate is active
expiredThe certificate has expired. Delete the certificate and add a new one

Delete certificate

You cannot delete certificates that are in the process of being added.

  1. In the Control Panel, on the top menu, click Products and select Object Storage.
  2. Go to the SSL Certificates section.
  3. In the row with the certificate, click .
  4. Enter a name for the certificate and click Delete.