Convox will, if needed, automatically generate a valid SSL certificate for your service via AWS ACM. If you already have a matching certificate in AWS ACM for the domain(s) in question Convox will use the existing certificate.

If you specify a custom domain: attribute for your service be on the lookout for a validation email that will come the first time you deploy.