Certificate generation

Northflank provides automatic certificate generation for your domains by default. Alternatively, you can upload certificates yourself.

Your services should automatically be able to connect to addons with TLS enabled. However, some applications may need custom TLS configuration.

Northflank uses Let's Encrypt to provision TLS certificates on-demand, generated by Let's Encrypt. Certificates are created automatically and renewed before they expire, with 2048-bit RSA encryption.

Your custom domains can be linked to a service port and immediately start serving secure traffic with a managed Let's Encrypt certificate. A certificate will not be generated for a subdomain added to Northflank until it has been linked to a service's port.

Your custom domains will be subject to Let's Encrypt's rate limits .

• Certificates per registered domain: you can request 50 certificates per week for the same registered domain. This limit is applied to the root domain, and any subdomains will count towards the same limit. For example, subdomain1.example.com and subdomain2.example.com will both count towards the limit for example.com.

Please keep these limits in mind when creating new subdomains on Northflank and generating Let's Encrypt certificates for your domains via other channels.

You can reduce the number of certificates you need to generate by configuring a domain to use wildcard certificates. Wildcard certificates allow your subdomains to share a certificate, and are ideal for dynamically generating subdomains in Northflank templates and preview environments.

Instead of using Northflank's automated certificate provisioning you can import your own TLS certificates, giving you full control over certificate management when required.

This approach is suitable if you already manage certificates externally (e.g. via Let’s Encrypt, DigiCert, Sectigo, GlobalSign, or other trusted CAs), or your organisation does not allow automated certificate generation.

When you add a new domain, select wildcard via imported certificate from the certificate generation drop-down menu under advanced options. You can then copy the certificate content and private key into Northflank and configure and verify the domain as normal.

Any new subdomains you create under the domain will use your own imported certificate, rather than a Northflank-generated Let's Encrypt certificate. Your certificate will need to cover any subdomains you want to add, see wildcard certificate generation for more information.

You can update the certificate for a domain by opening the settings for the domain. Expand the certificate import view, paste the new certificate and private key, and click update to begin using the new certificate.