Free Trial
Contact Us

Knowledge Base

Knowledge BaseCertificate Installation

How to Install and Bind a Server Certificate on Traefik? 

Updated on March 20, 2026
 

Overview 

This document describes how to install an existing TLS/SSL certificate and bind it to Traefik for HTTPS traffic using Server Name Indication (SNI). 

This guide provides the step-by-step process for installing an existing TLS/SSL server certificate and binding it to Traefik for HTTPS traffic. This enables secure connections using Server Name Indication (SNI) and ensures Traefik presents the correct certificate based on the hostname. 

 

Prerequisites 

  • Traefik is installed and running 

  • A valid server certificate (including the full certificate chain) 

  • The matching private key for the certificate 

  • The DNS hostname the certificate was issued for (for example, example.domain.com) 

 

Procedure 

 

Step 1: Upload the Certificate and Private Key 

Copy the certificate and private key to the Traefik host: 

1     sudo cp server.crt /opt/traefik/certs/ 

2     sudo cp server.key /opt/traefik/certs/ 

 

Apply secure file permissions: 

1     sudo chmod 644 /opt/traefik/certs/server.crt 

2     sudo chmod 600 /opt/traefik/certs/server.key 

     

Step 2: Verify the Certificate Matches the Private Key 

Confirm that the certificate and private key belong to the same key pair. 

Public key from the certificate: 

1     openssl x509 -in /opt/traefik/certs/server.crt -noout -pubkey | openssl sha256 

 

Public key from the private key: 

1     sudo openssl pkey -in /opt/traefik/certs/server.key -pubout | openssl sha256 

    

✅ The hash values must be identical. 

Step 3: Configure the TLS Certificate in Traefik 

Create or update the TLS configuration file used by Traefik. 

File: /opt/traefik/dynamic/tls.yml 

1     tls: 

2       certificates: 

3         - certFile/certs/server.crt 

4           keyFile/certs/server.key 

 

This configuration tells Traefik which certificate and private key to load. 

Step 4: Bind the Certificate to a Hostname (SNI) 

Create or update an HTTPS router that enables TLS and specifies the hostname. 

File: /opt/traefik/dynamic/router.yml 

1     http: 

2       routers: 

3         https-router: 

4           entryPoints: 

5             - websecure 

6           rule"Host(`example.domain.com`)" 

7           servicenoop@internal 

8           tls: {} 

 

Traefik selects the certificate based on the hostname provided by the client during the TLS handshake (SNI). 

Step 5: Reload Traefik 

Restart Traefik to apply the new certificate configuration: 

1     sudo docker restart traefik 

 

 

Step 6: Validate the Certificate Binding 

From a client system, verify that the correct certificate is presented: 

1     openssl s_client -connect example.domain.com:443 -servername example.domain.com 

   

Confirm that: 

  • The correct certificate is presented 

  • The issuer is correct 

  • The full certificate chain is included 

Result 

The server certificate is now installed and bound to Traefik. HTTPS connections for the specified hostname will use the configured certificate via SNI. 

Verification 

To confirm the process was successful, use the OpenSSL validation command above or open https://example.domain.com in a browser. Check that: 

  • The connection is secure 

  • The certificate is valid and correctly issued 

  • The hostname matches 

  • The certificate chain is trusted 

 

Need help?

Need help making a purchase? Contact us today to get your certificate issued right away.

Live chat

Click the button below or click "Chat with an Expert" to start chatting with us now!

Start Chat

Call us today

United States
+1 888 266 6361
France
+33 3 66 72 95 95
Italy
+39 02 4792 1708
Spain
+34 900 838 451
Germany
+49 800 1002328
International
+1 914 732 844

Resources