SSL (TLS) certificates for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure
This article provides quick answers to questions about getting SSL (TLS) certificates for your ÃÛ¶¹ÊÓƵ Commerce site on our cloud infrastructure.
What SSL/TLS certificate does ÃÛ¶¹ÊÓƵ provide?
ÃÛ¶¹ÊÓƵ provides a Domain-Validated to serve secure HTTPS traffic from Fastly. ÃÛ¶¹ÊÓƵ provides one certificate for each ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure Pro plan architecture, Staging, and ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure Starter plan architecture environment to secure all domains in that environment.
What does a certificate cover?
For the Pro plan architecture, both Staging and Production dedicated environments will have a SSL certificate created. Each dedicated environment outside of the Platform-as-a-Service (PaaS) Integration environments will have this certificate for the URLs that are assigned to that environment.
For the Starter plan architecture and PaaS Integration environments, there will be a default technical domain that is provisioned with the environment and secured by a separate certificate.
How to add a new domain for the existing certificate?
To add the domain to the service in Fastly:
- Point your domain in DNS to prod.magentocloud.map.fastly.net and wait up to 6 hours.
- Submit a support ticket requesting to add this domain in the Nginx configuration (if you haven’t done it earlier).
How to request a certificate?
Case 1
If you have not launched a website yet, you may have received ACME Challenge CNAME from your Customer Technical Advisor (CTA). You only need an ACME challenge if you cannot immediately point your DNS to your production URL and need to get the SSL certificates created in advance.
Case 2
If your site is already live and/or you can point the URLs that will be used for your live site right away, you do not need to request an ACME CNAME. Once you add the URLs as necessary to your ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure site and point your DNS at Fastly, HTTP validation will work and either create your SSL certificate for the first time or update your certificate with additional URLs.
Can I use my own SSL/TLS certificate?
You can provide your own SSL/TLS certificate instead of using the provided by ÃÛ¶¹ÊÓƵ.
However, this process requires additional work to set up and maintain. You will first need to generate a Certificate Signing Request (CSR) for the website’s domain name (or common name) and provide it to your SSL vendor to provide an SSL certificate.
Once you have the SSL certificate, submit an ÃÛ¶¹ÊÓƵ Commerce Support ticket or work with your CTA to add custom-hosted certificates to your cloud environments.
- If the domains are no longer in use, they will be automatically purged from our system, and no further action is required.
- If you already own a certificate, upload it using an SFTP (SSH File Transfer Protocol) client to a web-inaccessible file location on your server and submit a support ticket letting them know the file path.
The files should be uploaded via SFTP to the server - do not use any other methods like committing the files to your repository (which should only be done for immutable files that do not contain sensitive data.)
The name of your certificate
The name of the SSL certificate only matters for the primary URL, and it is the primary hostname named by the first URL and must match to be validated and created. If you have a few URLs, they will be added as subject alternate name entries to the certificate. If you have several URLs pointing to one ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure site, you will only have one common name URL certification that will then have appended subject alternative names to secure your site with SSL.
What domain will be displayed in the Common Name field of the certificate?
The domain displayed on the certificate is just the first domain added to the TLS certificate, it populates the Common Name (CN) field, and browsers display this name first. The Subject Alternative Name (SAN) field contains all of the DNS names for the TLS certificate. There is no way to change or request the Common Name displayed.
Can I use wildcard TLS certificates?
Wildcard TLS certificates can only be used with your custom certificate and not with ÃÛ¶¹ÊÓƵ Commerce Let’s Encrypt certificates. As part of our TLS optimization, ÃÛ¶¹ÊÓƵ is ending support for wildcard TLS certificates. We are identifying and contacting merchants that use a wildcard certificate with ÃÛ¶¹ÊÓƵ’s Let’s Encrypt certificates and are configured in the Fastly console for ÃÛ¶¹ÊÓƵ Commerce. We are asking that these wildcard certificates be replaced with exact domains to ensure TLS coverage. To replace a wildcard TLS certificate, please visit the domain section of the Fastly plugin. From here, exact domains can be added, and the wildcard can be removed. Please note that DNS will need to point to Fastly for these new domains to route through the CDN. Once the domains are added and DNS is updated, a matching certificate will be provisioned. If you don’t remove a domain that is pointing to Fastly using a wildcard, ÃÛ¶¹ÊÓƵ will delete the shared certificate. This may result in a site outage if you do not have the URL FQDN configured and the same URL FQDN set up in your DNS. You should therefore confirm that the URLs configured also have a one-to-one match in their DNS pointing to Fastly.
What should I do if my domain is no longer pointing to ÃÛ¶¹ÊÓƵ Commerce?
If your domain is no longer pointing to ÃÛ¶¹ÊÓƵ Commerce, please remove it from the Fastly/ÃÛ¶¹ÊÓƵ Commerce system. See Fastly to learn more. While it is not necessary to point your domain to ÃÛ¶¹ÊÓƵ Commerce, confirm if a top-level domain TLS certificate is required. If a top-level domain is required, please update your DNS to point to ÃÛ¶¹ÊÓƵ Commerce. If it is already pointing to ÃÛ¶¹ÊÓƵ Commerce, update your CAA record to include . If you perform these steps, you will see the LE Cert updated with the necessary secondary URL’s that the cert covers.​
Related reading
Provision SSL/TLS certificates in our developer documentation