SSL Certificates

Secure connections between visitors and your site

HTTPS and SSL on Arcustech VPS

SSL shield

SSL encrypts traffic, protects logins and forms, and improves user trust and browser security indicators.

Our recommended modern setup: Put a CDN and abuse protection service in front of your site (Cloudflare, Bunny CDN, Fastly, etc.). This improves global performance, reduces bot and abuse traffic, and also handles SSL for visitors at the edge.

If you do not want a CDN, we recommend Let’s Encrypt on the server using DNS validation with automated renewal.

Updated: February 2026

Why the SSL industry is changing

The maximum validity period for publicly trusted SSL/TLS certificates is being reduced on a phased schedule. This is pushing the industry toward automated issuance and renewal, similar to what Let’s Encrypt has been doing for years.

  • March 15, 2026: maximum certificate lifespan reduces to 200 days
  • March 15, 2027: maximum certificate lifespan reduces to 100 days
  • March 15, 2029: maximum certificate lifespan reduces to 47 days

The practical takeaway is simple: manual, calendar-based certificate renewals become harder to maintain as lifespans shorten.

Commercial SSL transition policy (March 2026 to March 2027)

Between March 15, 2026 and March 14, 2027, we will continue to install manual CSR-created commercial SSL certificates on request at our current No Fee costs.

For customers that still need or require a commercial SSL certificate, we will continue offering PositiveSSL DV Standard certificates for $29/year.

Important: Between March 15, 2026 and March 14, 2027, certificates purchased through us or any other commercial SSL vendor may be sold as yearly in the vendor’s system, but the certificate actually issued will only be valid for 200 days. This requires a new SSL certificate to be generated and installed at least a second time during that same yearly purchase timeframe.

After March 14, 2027, we will no longer sell commercial SSL certificates directly. At that point, commercial SSL certificates will have moved to the 100-day validity period and will effectively require automation. The automation details below (including any possible automation setup fees) will apply starting on March 15, 2027.

Our default SSL approach going forward

Option 1: Use a CDN (recommended)

We strongly recommend putting a CDN and abuse protection service in front of every website. Cloudflare is the most common choice and their free tier is enough for most sites.

  • SSL termination at the CDN: visitors connect to the CDN over HTTPS
  • Abuse protection and caching: reduces load on your VPS and improves global performance
  • Origin SSL to your server: you can use either a Let’s Encrypt cert on the VPS or a long-lived CDN Origin Certificate
Option 2: Let’s Encrypt on the server (standard)

Let’s Encrypt is a free, automated certificate authority operated by the non-profit Internet Security Research Group (ISRG). Let’s Encrypt is our standard on-server SSL solution because it is built for automation and scales cleanly as certificate lifespans shorten.

Our preferred Let’s Encrypt setup is DNS validation using a CNAME record. This allows us to issue a single wildcard certificate that covers both example.com and *.example.com (www, staging, and other subdomains) with automated renewals.

  • Wildcard by default: we typically issue example.com and *.example.com together
  • Can be done before DNS cutover: DNS validation does not require the domain to point at the server yet
  • Validation-only CNAME: the CNAME record is used only for certificate validation and does not route visitor traffic to Arcustech

To enable Let’s Encrypt on your VPS, open a support request in the Dashboard and tell us the domain name you want covered. We will provide a simple CNAME record to add at your DNS provider for validation and renewal.

If DNS validation is not an option (for example due to DNS restrictions or internal policy), we can still issue Let’s Encrypt using HTTP-based validation. In that case the certificate is non-wildcard, example.com / www.example.com by default, and the domain must be pointed to the web server during setup so the HTTP challenge can complete.

We recommend that customers monitor SSL expiration independently. Let’s Encrypt maintains a list of monitoring options here: SSL certificate monitoring options.

Option 3: Commercial SSL with ACME automation (limited support)

If you have a strict compliance or enterprise policy that requires a commercial CA, we can often automate commercial certificate issuance and renewal if your CA supports ACME and provides the required ACME account credentials (for example EAB credentials).

One-time automation fee: $149 per SSL automation setup (per domain/certificate task).

Important: ACME is a protocol, but each commercial CA’s operational workflow is still different. Billing, account renewals, and CA-side validation requirements are managed in your CA account, not in our Dashboard. We can automate the on-server ACME workflow, but we cannot replace your CA’s account management or support.

Our automation is based on acme.sh. If a specific CA requires unusual steps, custom validation methods, or non-standard behavior, we may either:

  • require additional billable time due to complexity, or
  • determine that we cannot support automation for that CA reliably on our platform

If you are unsure which path fits your project, open a ticket and tell us whether you are using a CDN, Let’s Encrypt, or a commercial CA, and we will point you to the best option.

Additional Details:

Do I have to purchase an SSL certificate from Arcustech?

No. You can use Let’s Encrypt, a CDN-managed certificate, or a commercial CA of your choice. Our recommended approach for most sites is either a CDN in front of the site or Let’s Encrypt automation on the server.

Does the validation CNAME affect my website traffic?

No. The DNS CNAME record used for Let’s Encrypt validation is only used to prove domain control to the certificate authority. It does not route website traffic, change where your site is hosted, or impact your normal DNS records.

Can SSL be set up before I move my DNS to Arcustech?

Yes. When using DNS validation we can issue the certificate before your domain points to the new server.

This allows SSL to already be working when you perform the DNS cutover.

If DNS validation is not available for your DNS provider or organization, we can also install an existing SSL certificate before the cutover if you already have the certificate files.

This includes standard commercial certificates or existing Let’s Encrypt certificates as long as you provide the required files such as the .crt (certificate) and .key (private key).

Once DNS is moved to the Arcustech server, the certificate will already be active and visitors will immediately connect using HTTPS.

Is it recommended to use SSL on my whole site?

Yes. HTTPS should be enforced site-wide whenever possible. It improves privacy and security for visitors, and is the modern baseline expectation for browsers.

Can I have SSL on multiple domains on a single VPS?

Yes. This is typically handled using multiple certificates via SNI (Server Name Indication), which is supported by all modern browsers. A CDN in front of the site can also simplify multi-domain SSL management.

Do you monitor SSL expirations for customers?

No. SSL certificate monitoring is not included as a managed service responsibility. If monitoring is important for your organization, we recommend using an external monitoring tool. Let’s Encrypt maintains a list of options here: monitoring options.

"Airplane WIFI is terrible but http://studio.zeldman.com loads in less than 3 seconds."
Jeffrey Zeldman
"Moved a client site from Rackspace to @ArcustechUSA. Client says, “All I know is that our website is poppin’ now!”"
Jason Siffring
Follow us on:
Threads | LinkedIn