Free auto-renewing SSL certificates for every domain on Sigilhosting. Let's Encrypt integration with wildcard support, DNS-01 and HTTP-01 validation, TLS 1.3 by default, and custom certificate upload for EV/OV requirements.
When a domain's DNS records point to Sigilhosting infrastructure — either by using our nameservers or by pointing A/AAAA records at your server's IP — we automatically issue an SSL certificate via Let's Encrypt. No manual steps, no CSR generation, no email verification, no file uploads.
For domains using Sigilhosting's managed DNS, we use DNS-01 validation by creating a temporary TXT record that Let's Encrypt verifies. This method works even before your web server is running, and it's required for wildcard certificates. For domains with DNS hosted elsewhere, we fall back to HTTP-01 validation via port 80.
Certificates are issued within seconds of DNS propagation completing. The entire process is fully automated — you deploy a server, point DNS at it, and HTTPS works.
A wildcard certificate secures *.yourdomain.com — every possible subdomain under your apex with a single certificate. This eliminates the need to issue individual certificates when you create subdomains dynamically, such as per-customer subdomains, branch preview deployments, or regional endpoints.
Wildcard certificates require DNS-01 validation, which means the domain must either use Sigilhosting's managed DNS or you need to create TXT records at your DNS provider. For domains on our nameservers, the validation is completely automatic.
Both the wildcard (*.example.com) and the apex domain (example.com) are included in the same certificate as Subject Alternative Names. You don't need separate certificates for the bare domain and the wildcard.
Let's Encrypt certificates are valid for 90 days. Our renewal system begins the renewal process 30 days before expiration, giving multiple retry attempts if something goes wrong (DNS misconfiguration, temporary Let's Encrypt outage, etc.).
Renewal uses the same validation method as the original issuance. If DNS-01 was used initially, renewal uses DNS-01. The new certificate is deployed transparently with zero downtime — there's no window where the old certificate has expired and the new one isn't ready.
Certificate health is monitored continuously. If a renewal fails, we alert you via email with the specific error (DNS not pointing to Sigilhosting, port 80 blocked, etc.) and retry daily until the issue is resolved or the certificate expires.
For domains that require Extended Validation (EV) or Organization Validation (OV) certificates — which display the organization name in the browser's certificate details — you can upload certificates from any Certificate Authority in PEM or PFX/PKCS#12 format.
The private key is stored encrypted at rest and is never exposed via API, dashboard, or support access. Certificate expiration is monitored with email notifications sent 30 and 7 days before expiry.
Custom certificates take priority over auto-issued Let's Encrypt certificates. If both exist for a domain, the custom certificate is served. Remove the custom certificate to fall back to the automatic Let's Encrypt certificate.
Secure by default with no legacy protocol support.
TLS 1.3 is preferred for all connections, with TLS 1.2 as the minimum. TLS 1.0 and 1.1 are not supported — they have known vulnerabilities and are deprecated by all major browsers. Cipher suite selection prioritizes AEAD ciphers (AES-256-GCM, ChaCha20-Poly1305) and forward secrecy via ECDHE key exchange.
HSTS (HTTP Strict-Transport-Security) headers can be enabled per domain with configurable max-age and includeSubDomains directives. OCSP stapling is enabled by default, embedding the certificate revocation status in the TLS handshake to eliminate the client-side OCSP lookup latency.
Free SSL. Automatic renewal. No configuration.