HTTPS is handled automatically. When a domain that points to this service is accessed for the first time, a TLS certificate is obtained and renewed in the background — no configuration required.

Single-hostname certificates

By default, a certificate is issued for the exact hostname being redirected. A redirect on www.your-domain.com receives a certificate for www.your-domain.com.

No additional DNS configuration is required. Certificates are issued on first access and renewed automatically.

Certificate issuance is rate limited to 5 certificates per domain per 24 hours across all hostnames sharing the same registered domain. Renewals of existing certificates do not count against this limit. If you are planning to redirect a large number of subdomains, consider configuring DNS delegation to obtain a single wildcard certificate instead — it counts as one issuance regardless of how many subdomains it covers.

Wildcard certificates

If you are redirecting multiple subdomains of the same domain, you can configure DNS delegation to obtain a single wildcard certificate (e.g. *.your-domain.com) that covers all of them.

To enable wildcard certificates for a domain, add a CNAME record delegating the ACME challenge subdomain:

_acme-challenge.your-domain.com.  IN  CNAME  _acme-challenge.d.http-redirect.com.

Once this record has been created, the next time a certificate is required for any subdomain of your-domain.com, a wildcard certificate *.your-domain.com will be issued instead of a hostname-specific certificate.

Example — redirecting multiple subdomains

# DNS records for your-domain.com
www.your-domain.com.               IN  CNAME  r.http-redirect.com.
blog.your-domain.com.              IN  CNAME  r.http-redirect.com.
shop.your-domain.com.              IN  CNAME  r.http-redirect.com.

# Wildcard certificate delegation
_acme-challenge.your-domain.com.   IN  CNAME  _acme-challenge.d.http-redirect.com.

# TXT redirect records
_redirect.www.your-domain.com.     IN  TXT    "https://new-domain.com"
_redirect.blog.your-domain.com.    IN  TXT    "https://blog.new-domain.com"
_redirect.shop.your-domain.com.    IN  TXT    "https://shop.new-domain.com"

One delegation record covers all direct subdomains of your-domain.com (e.g. www, blog, shop). Deeper subdomains such as api.v2.your-domain.com require a separate delegation at that level — see Nested subdomains below.

Security notice: Adding this CNAME delegation grants this service the ability to obtain TLS certificates for any subdomain of your domain via the ACME DNS-01 challenge — not just the hostnames you point at this service. Understand the implications of the trust delegated to this service before configuring this feature for your domain.

Nested subdomains

Wildcard certificates cover one subdomain level. A certificate for *.your-domain.com covers www.your-domain.com but not api.v2.your-domain.com.

For deeper subdomains, add the CNAME delegation at the appropriate level:

# Covers *.v2.your-domain.com (api.v2.your-domain.com, etc.)
_acme-challenge.v2.your-domain.com.  IN  CNAME  _acme-challenge.d.http-redirect.com.

Depth limit: Hostnames are accepted up to a maximum of 6 subdomain levels deep (e.g. a.b.c.d.e.f.your-domain.com). Hostnames exceeding this depth will not receive a certificate.

Certificate reference

Domain	DNS delegation configured?	Certificate issued
`www.your-domain.com`	No	`www.your-domain.com`
`www.your-domain.com`	Yes — at `_acme-challenge.your-domain.com`	`*.your-domain.com`
`api.v2.your-domain.com`	Yes — at `_acme-challenge.v2.your-domain.com`	`*.v2.your-domain.com`
`your-domain.com` (apex)	Any	`your-domain.com` — apex domains always receive a single-hostname certificate

Wildcard certificates cannot be issued for apex domains because the DNS protocol does not typically allow CNAME records (required for our challenge delegation) to be placed at the domain root.