Customer provided SSL cert

Hey folks,

We’ve been using Fly for a few years now to provide custom domains for our customers. This week however we signed a large customer who for what ever reason needs us to use an SSL cert that they have provided. Is this possible?

We currently have a simple nginx proxy hosted on fly that handles SSL termination and forwards their request on to our main app servers that are hosted elsewhere. How would I even go about using a custom ssl for a specific domain? They have provided me with a pfx file and the password for it, but I have no idea what the next steps are.

Any pointers/advice would be greatly appreciated.

Fly.io only needs to know about your domain if you’re using Fly to handle your TLS.

If you are handling TLS yourself via nginx, Fly doesn’t need to know about your domains, you can just set the for the domain to the anycast addresses of your TLS handling app.

If you’ve been given the certificate as a PFX file, you’ll need to convert it to an OpenSSL keypair using the following command:

openssl pkcs12 -in file.pfx -out file.pem -nodes

You can then use the created OpenSSL keypair in your nginx config to handle TLS termination.

2 Likes

Okay cool, this makes sense!

Does Fly have a good way to store and expose the OpenSSL key pair to my app without needing to store it in version control?

Your best options are either:

  • Fly secrets – Set the certificate keys as secrets and have an initialization script on your container to write those secrets to files before nginx starts.
  • Cloud storage – Put the certificates into something like AWS S3 and set up an IAM user for your nginx app which allows it to list and download the certificates, and download the certificates as part of an init script.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.