Custom certificates
Use a custom certificate when Let’s Encrypt won’t work for you: corporate CA, internal-only domain, mTLS, or a cert issued by an external ACME tool.
When to pick this
Section titled “When to pick this”- A corporate or private CA issues your certs.
- mTLS where the server cert chain is fixed.
- Cert lifecycle is owned by another system (Vault, cert-manager, manual).
Prepare PEM files
Section titled “Prepare PEM files”Both must be PEM-encoded. Bundle the leaf cert plus any intermediates in cert.pem.
cat leaf.pem intermediate.pem > fullchain.pemMark the endpoint as custom
Section titled “Mark the endpoint as custom”services: web: image: myapp:latest labels: simpledeploy.endpoints.0.domain: "myapp.example.com" simpledeploy.endpoints.0.port: "3000" simpledeploy.endpoints.0.tls: "custom"Deploy or redeploy. The endpoint will return TLS errors until the cert is uploaded.
Upload the cert
Section titled “Upload the cert”- Open the app in the dashboard.
- Endpoints tab, expand
myapp.example.com. - Click Upload certificate, paste the cert and key as PEM.
- Save. The endpoint switches to the new cert immediately.
curl -X PUT https://manage.example.com/api/apps/myapp/certs/myapp.example.com \ -H "Authorization: Bearer $SD_API_KEY" \ -H "Content-Type: application/json" \ -d "$(jq -n \ --arg cert "$(cat fullchain.pem)" \ --arg key "$(cat privkey.pem)" \ '{cert: $cert, key: $key}')"Replace or delete
Section titled “Replace or delete”Re-uploading replaces the old cert atomically.
curl -X DELETE https://manage.example.com/api/apps/myapp/certs/myapp.example.com \ -H "Authorization: Bearer $SD_API_KEY"After deletion you must either upload a new cert or switch the endpoint back to auto.
See also: TLS and HTTPS.