SSL certificates

We issue free SSL certificates via Let's Encrypt for every custom domain, automatically. There's nothing to configure, no key file to upload, no expiry to track. Certificates renew at 60 days, 30 days before they expire.

Issuance happens immediately after DNS verification — usually within 30 seconds. While provisioning, your domain serves Qubed's default cert (*.qubed.xyz), which means visitors will see a certificate warning. The window is short, but worth knowing about.

We default to TLS 1.3 with a fallback to TLS 1.2; older versions are disabled. HSTS is enabled with a 6-month max-age on all custom domains, so once a visitor hits HTTPS they're locked in. If you change your mind about the domain, plan accordingly.

Wildcard certificates (*.yourapp.com) require DNS-01 validation, which means a _acme-challenge TXT record at your DNS provider. We surface the exact value in the dashboard and re-verify automatically on every renewal.