SSL/TLS certificates
Every active hostname on the Paradarum CDN is served over HTTPS. There are two ways to get a certificate: managed automatic issuance via Let's Encrypt, or a custom certificate you upload. This page explains both and how to switch between them.
Managed certificates (Let's Encrypt)
Once a hostname is Active, Paradarum issues a certificate automatically using ACME against Let's Encrypt. Validation uses the HTTP-01 challenge: Let's Encrypt fetches a token served at /.well-known/acme-challenge/{token}, and the edge returns the stored key authorization.
GET http://www.mycompany.com/.well-known/acme-challenge/<token>
-> 200 text/plain: <keyAuthorization>
Only HTTP-01 is used — there is no DNS-01 challenge and no DNS TXT/CNAME verification token to add. For issuance to work, the hostname must resolve to a Paradarum PoP so Let's Encrypt can reach the challenge path. This is the same DNS that verification checks, so once a hostname is Active the challenge is reachable.
Issuance is asynchronous: the API enqueues the request and returns immediately, and the edge picks up the new certificate by polling configuration. Managed certificates include the full chain.
Custom certificates (upload)
For non-system hostnames you can upload your own certificate instead of using Let's Encrypt. In the Hostnames tab, click the up-arrow (upload) button on the hostname row to open the Certificate Upload dialog, then provide a PEM certificate file and a private key file.
curl -X POST 'https://api.paradarum.com/api/Property/123/hostname/456/certificate' \
-H 'X-API-Key: pdm_YOUR_KEY' \
-H 'Content-Type: application/json' \
-d '{
"certificate": "-----BEGIN CERTIFICATE-----\n...",
"privateKey": "-----BEGIN PRIVATE KEY-----\n..."
}'
Validation rules
The upload is rejected with 400 unless it meets all of the following:
| Requirement | Detail |
|---|---|
| Parses as PEM | The certificate must be valid PEM. |
| Currently valid | NotBefore ≤ now ≤ NotAfter — not expired and not yet valid. |
| Matches the hostname | The CN or a SAN must match the hostname. |
| Wildcard scope | Single-level only — *.example.com matches sub.example.com, not a.b.example.com. |
| Not a system default | System default hostnames cannot have a certificate uploaded. |
A custom-certificate upload does not bundle an intermediate chain for you — provide a certificate that your clients can validate. Managed (ACME) certificates already include the full chain.
A successful upload sets the hostname to use an external certificate and stores it securely.
Reading the UI icons
The certificate column tells you which mode a hostname is in:
| Icon | Meaning |
|---|---|
| Shield (check) | Managed certificate (ACME / Let's Encrypt) |
| Lock | External / custom uploaded certificate |
Switching between modes
-
Custom → managed. Delete the custom certificate to revert the hostname to a managed certificate:
curl -X DELETE 'https://api.paradarum.com/api/Property/123/hostname/456/certificate?accountId=45' \-H 'X-API-Key: pdm_YOUR_KEY'Use the trash button next to the certificate in the UI. After deletion the hostname goes back to automatic Let's Encrypt issuance.
You cannot mix an uploaded certificate with Let's Encrypt. While a hostname has a custom certificate, requesting a managed certificate returns 400 (Cannot request Let's Encrypt certificate). Delete the custom certificate first to switch back to managed issuance.
System default hostnames cannot have a certificate uploaded or deleted — both return 400. They are always served with a managed certificate.
Next steps
- Verify DNS and retry SSL — get a hostname to Active so issuance can run.
- Configure a CNAME — point your domain at the CDN.