Every website on Hostney automatically receives a free SSL/TLS certificate from Let’s Encrypt. These certificates encrypt the connection between your visitors and your website, protecting passwords, payment details, and other sensitive data from interception.
Certificates are provisioned and renewed automatically — you don’t need to do anything for standard HTTPS to work. This page lets you view your active certificates and, if needed, upload your own.
Viewing your certificates#
The SSL certificates page lists every certificate associated with your websites. Each certificate card shows:
- Website — The domain or subdomain the certificate covers
- CA — The certificate authority that issued it (e.g., Let’s Encrypt, DigiCert)
- Expires — When the certificate expires
- Badge — Either “Auto-generated” (green) for Let’s Encrypt certificates or “Imported” (blue) for certificates you uploaded yourself
You can search and sort the list by website name or expiration date. The counter in the section header shows how many certificates you have in total.
Viewing certificate details
Click the dropdown menu on any certificate card for these options:
- Certificate — Opens the full PEM-formatted certificate text with a copy button
- Private key — Opens the private key in PEM format with a copy button
- Full chain — Opens the certificate chain in PEM format with a copy button
- Delete — Removes an imported certificate (not available for auto-generated ones)
Auto-generated certificates (Let's Encrypt)#
Hostney automatically provisions Let’s Encrypt certificates for every website you create. These certificates:
- Cover the exact domain and subdomain
- Renew automatically before they expire
- Require no configuration on your part
A background process checks certificate status every minute across all servers, updating expiration dates and SSL status in the system. You don’t need to worry about renewals.
Auto-generated certificates cannot be deleted — they’re managed by the system.
Uploading a custom certificate#
If you have an EV (Extended Validation), OV (Organization Validation), wildcard, or multi-domain certificate from a commercial CA, you can upload it through the three-step form at the top of the page.
Step 1: Select subdomain and paste certificate
- Choose the subdomain from the dropdown.
- Paste your SSL certificate in PEM format (starts with
-----BEGIN CERTIFICATE-----). - Click Next.
Step 2: Paste private key
- Paste your private key in PEM format (starts with
-----BEGIN PRIVATE KEY-----). - The key must be unencrypted — password-protected keys are not accepted.
- Click Next.
Step 3: Paste certificate chain (optional)
- If your CA provided an intermediate certificate or chain file, paste it here.
- This step is optional but recommended for full browser compatibility.
- Click Upload certificate.
Upload requirements
- Certificate and key must be in PEM format
- Private key must be unencrypted (no passphrase)
- Certificate cannot be self-signed
- Certificate must not be expired
- The certificate’s Common Name (CN) or Subject Alternative Name (SAN) must match the subdomain you selected
- Only one imported certificate is allowed per subdomain
If validation fails, the form takes you back to the step with the problem and highlights the field.
Changes take 1-2 minutes to apply after a successful upload.
Deleting an imported certificate
Open the dropdown menu on an imported certificate card and select Delete. Type DELETE to confirm.
When you delete an imported certificate, the subdomain automatically falls back to using its auto-generated Let’s Encrypt certificate. Changes take 1-2 minutes to apply.
Troubleshooting#
Browser still shows “Not secure” after adding a website New certificates take a few minutes to provision. If it persists, check that your domain’s DNS points to your Hostney server.
Certificate format errors during upload Make sure you’re pasting the full PEM content, including the
-----BEGIN
and
-----END
lines. If your CA gave you a
.pfx
or
.p12
file, you’ll need to convert it to PEM format first using OpenSSL:
openssl pkcs12 -in certificate.pfx -out cert.pem -nodes
“Certificate does not match subdomain” error The uploaded certificate’s CN or SAN must match the subdomain exactly, or be a wildcard certificate that covers it (e.g.,
*.example.com
covers
www.example.com
).
Mixed content warnings Your certificate is working, but your website loads some resources (images, scripts, stylesheets) over plain HTTP. Update those references to use HTTPS or protocol-relative URLs.
Certificate not renewing Auto-generated Let’s Encrypt certificates renew automatically. If you see an upcoming expiration, the system will handle it. If the certificate has already expired and hasn’t renewed, check that your domain still points to your Hostney server — Let’s Encrypt needs to reach your website to validate the renewal.