# Custom Domain Certificates

### **Overview**

ClawCloud Run integrates [cert-manager](https://cert-manager.io/) for automated TLS certificate management. While the platform auto-generates and renews certificates when configuring domains via the **Application Management dashboard**, you can also use **custom certificates** for full control.

⚠️ **Prerequisite**: Ensure your custom domain is already configured before proceeding.

***

### **Step 1: Create a TLS Secret**

1. Open the **Terminal** in ClawCloud Run.
2. Run the following commands to generate TLS files and create a Kubernetes Secret:

   ```
   # Create tls.crt (replace "xxxx" with your certificate content)  
   cat > tls.crt <<EOF
   -----BEGIN CERTIFICATE-----
   xxxx
   -----END CERTIFICATE-----
   EOF
   ​
   # Create tls.key (replace "xxxx" with your private key)  
   cat > tls.key <<EOF
   -----BEGIN RSA PRIVATE KEY-----
   xxxx
   -----END RSA PRIVATE KEY-----
   EOF
   ​
   # Create the TLS Secret  
   kubectl create secret tls <secret-name> --cert tls.crt --key tls.key
   ​
   # Verify the Ingress associated with your app  
   kubectl get ingress
   ```

<figure><img src="/files/qxQkK0XtKkV8kd6dPkJ9" alt=""><figcaption></figcaption></figure>

***

### **Step 2: Update Ingress Configuration**

Bind the custom certificate to your application’s Ingress:

```
# Replace:  
# - "clawcloud.xyz" with your domain  
# - "network-xxx" with your Ingress name  
# - "network-test" with your Secret name  
kubectl patch ingress <ingress-name> -p '{"spec":{"tls":[{"hosts":["your-domain.com"],"secretName":"<secret-name>"}]}}'
```

<figure><img src="/files/EVw1R5JNP4ahBgJmPIpr" alt=""><figcaption></figcaption></figure>

***

### **Verification**

Access your application via the custom domain. The padlock icon in the browser should confirm HTTPS is active.

<figure><img src="/files/H9kZCLNJ9lMx3wrrB4G4" alt=""><figcaption></figcaption></figure>

***

### **Key Notes**

* 🔒 **Security**: Never commit certificate files (`tls.crt`/`tls.key`) to version control.
* 🔄 **Renewals**: For custom certificates, manually renew and update the Secret before expiration.
* ⚠️ **Formatting**: Ensure certificates and keys use correct PEM encoding.

**Example Workflow**:

1. Deploy an app with a custom domain `app.yourbrand.com`.
2. Generate a Let’s Encrypt certificate locally.
3. Create a Secret named `prod-tls`.
4. Patch the Ingress to reference `prod-tls`.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.run.claw.cloud/clawcloud-run/guide/app-launchpad/custom-domain-certificates.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.