Skip to main content

SSL Certificates and HTTPS

SSL allows you to serve your sites using HTTPS, giving your users a guarantee of data integrity and privacy when they visit.

We provide SSL certificates free and by default. All Divio sites can be accessed using the HTTPS protocol instead of plain HTTP.

Renewal

Certificates have a 90-day lifetime, and are renewed automatically 40 days before expiry.

Custom certificates

If you have your own certificate, this can be applied to sites with eligible subscriptions - just drop us a line and we'll set it all up for you.

Custom Import Notes

When uploading custom certificates, please note the following:

  • Separate files
    Upload the certificate, private key, and intermediate Certificate Authority (CA) bundle separately.

  • Unencrypted private key
    Remove any passphrase from your private key before uploading.

  • Strict PEM format
    Ensure your PEM files contain only the encoded blocks, with no additional metadata, for example:

    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

You can locally verify the certificate and chain using OpenSSL:

openssl verify -x509_strict -verbose -CAfile chain.pem cert.pem

A return value of OK indicates the certificate itself is valid.

HTTPS redirects

By default, we don't redirect HTTP users to HTTPS, because for some cases this might not be appropriate. However unless you have a good reason not to, we advise that you set this up for your site, so that when your visitors arrive on a url such as http://example.com/ they will be redirected to https://example.com/.

See further information in our domains documentation.

TLS configuration in Open Cloud

Divio supports TLS 1.2 and TLS 1.3 across all sites hosted in Open Cloud. Modern cipher suites are preferred automatically by current browsers and operating systems, ensuring secure HTTPS connections by default.

For compatibility reasons, the platform continues to support a small number of TLS 1.2 CBC-based cipher suites. These are used only as fallbacks for legacy clients that cannot negotiate newer TLS 1.3 or TLS 1.2 GCM suites. Modern clients always select the strongest available ciphers, and the historical issues associated with CBC mode do not apply on modern servers.

This configuration ensures:

  • Compatibility with older devices and environments that still rely on legacy TLS behaviour

  • Strong security for all modern browsers and systems

  • Stable and predictable HTTPS access across a wide range of client versions

This behaviour is expected, safe, and aligned with current industry standards for shared-cloud environments supporting diverse client bases.

note

For projects that must comply with stricter TLS requirements and wish to apply more restrictive policies, this may be achievable by placing the domain behind Divio-managed Cloudflare Domain Protection, where Cloudflare’s edge security capabilities apply. Please reach out to Divio Support if you would like to explore this option.