HTTPS Certificate

Certificate options

Sudun offers a variety of certificate management solutions:

Sudun Universal SSL

The universal SSL certificate will be automatically configured for all domain names on Sudun. These certificates:

• Issued within 15 minutes of domain activation
• Automatic renewal 30 days before expiration
• Support for modern TLS versions (TLS 1.2, TLS 1.3)
• Contains the primary domain name and wildcard override

Enable Universal SSL

Universal SSL is enabled by default. Verification method:

1. Go to Domain → and select your domain name
2. Navigate to the SSL/TLS tab
3. Verify that Universal SSL shows as activated

Certificate coverage

Universal SSL certificates cover:

example.com ✓ 已覆盖 www.example.com ✓ 已覆盖 *.example.com ✓ 已覆盖（通配符） sub.sub.example.com ✗ 未覆盖（多级子域名）

Note: For multi-level subdomains (e.g.), use a custom certificate or add each subdomain individually.api.v2.example.com

Custom certificates

Uploading your own SSL certificate gives you full control over the certificate authority, expiration date, and subject information.

Supported formats

Upload a custom certificate

1. Go to Domain → and select your domain name
2. Navigate to SSL/TLS → Custom Certificates
3. Click Upload certificate
4. Provide the following:

┌─────────────────────────────────────────────────┐ │ 证书（PEM格式） │ │ ┌───────────────────────────────────────────┐ │ │ │ -----BEGIN CERTIFICATE----- │ │ │ │ MIIFjTCCA3WgAwIBAgIRANOxciY0... │ │ │ │ -----END CERTIFICATE----- │ │ │ └───────────────────────────────────────────┘ │ │ │ │ 私钥（PEM格式） │ │ ┌───────────────────────────────────────────┐ │ │ │ -----BEGIN RSA PRIVATE KEY----- │ │ │ │ MIIEowIBAAKCAQEA0Z3VS0... │ │ │ │ -----END RSA PRIVATE KEY----- │ │ │ └───────────────────────────────────────────┘ │ │ │ │ 证书链（可选） │ │ ┌───────────────────────────────────────────┐ │ │ │ 中间证书和根证书 │ │ │ └───────────────────────────────────────────┘ │ └─────────────────────────────────────────────────┘

Certificate requirements

• RSA key: at least 2048 bits (4096 bits recommended)
• ECDSA key: P-256 or P-384 curve
• Expiration date: must not expire
• Domain Matching: The certificate CN or SAN must match your domain name

Certificate chain

For custom certificates, the full certificate chain must be included:

您的证书（叶证书） ↓ 中间证书 ↓ 根证书（通常不需要）

Correct chain order:

-----BEGIN CERTIFICATE----- [您的域名证书] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [中间证书] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [根证书 - 可选] -----END CERTIFICATE-----

TLS configuration

Minimum TLS version

Configure the minimum acceptable TLS version:

Configuration steps:

1. Enter SSL/TLS → edge certificates
2. Set the Minimum TLS version to the desired level

Encryption suites

Sundun supports modern cryptographic suites by default:

TLS 1.3 cipher suite:

• TLS_AES_256_GCM_SHA384
• TLS_AES_128_GCM_SHA256
• TLS_CHACHA20_POLY1305_SHA256

TLS 1.2 cipher suite:

• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-RSA-CHACHA20-POLY1305

SSL mode

To configure how Sundun connects to the origin server:

Set up SSL mode

1. Go to the SSL/TLS → overview
2. Choose the right mode
3. Click Save

Recommendation: Production environments always use Full (Strict) mode to ensure end-to-end encryption for certificate validation.

HTTPS redirects

Enforce HTTPS for all traffic:

Always use HTTPS

Redirect all HTTP requests to HTTPS:

http://example.com → https://example.com（301 重定向）

Always enable in SSL/TLS → Edge Certificates → with HTTPS

HSTS (HTTP Strict Transport Security)

Enabling HSTS instructs browsers to always use HTTPS:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

To configure HSTS settings:

• Maximum validity: The length of time the browser remembers using HTTPS only (recommended: 1 year)
• Include subdomains: Applies to all subdomains
• Preload: Submit to the browser preload list

Certificate monitoring

Expiration reminders

Sudun monitors certificate expiration times and sends alerts:

• 30 days before expiration: Email notification
• 14 days before expiration: Console warning
• 7 days before expiration: Critical alert

Certificate status

Check the certificate status in the console:

Troubleshooting

The certificate cannot be configured

1. Confirm that domain ownership is verified
2. Check if the CNAME record points to Sudun
3. Ensure that there are no CAA records blocking issuance
4. Wait up to 15 minutes for the spread to complete

Mixed content warning

If the browser displays a mixed content warning:

1. Update all resource URLs to use HTTPS
2. Use protocol relative URL()//example.com/resource
3. Enable "Automatic HTTPS Rewrite" in the console

Certificate chain error

# 验证证书链 openssl s_client -connect example.com:443 -servername example.com # 检查链问题 openssl verify -CAfile chain.pem certificate.pem

API Reference

Manage certificates via API:

# 列出证书 curl -X GET https://api.Sudun.com/v1/domains/example.com/certificates \ -H "Authorization: Bearer YOUR_API_KEY" # 上传自定义证书 curl -X POST https://api.Sundun.com/v1/domains/example.com/certificates \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "certificate": "-----BEGIN CERTIFICATE-----...", "private_key": "-----BEGIN RSA PRIVATE KEY-----...", "chain": "-----BEGIN CERTIFICATE-----..." }'

Need help with SSL/TLS? Please contact admin@jindun.com