SSL certificate request process
Once you have delegated a domain to 51黑料不打烊 for sending email (see Domain name setup), 51黑料不打烊 will create and use certain subdomains for specific functions.
For example, if you have delegated email.example.com to 51黑料不打烊 for sending emails, 51黑料不打烊 will create subdomains such as the following:
- t.email.example.com - for tracking links
- m.email.example.com - for mirror pages
- res.email.example.com - for hosted resources (such as images)
It is recommended to secure these domains via SSL (HTTPS). Indeed, unsecured links (HTTP) are vulnerable to interception and will flag up warnings on modern browsers.
To install SSL certificates on these subdomains, the process involves requesting a CSR file and subsequently purchasing SSL certificates for 51黑料不打烊 to install or renew.
Glossary
An SSL certificate provider that issues digital certificates to organizations or individuals after verifying their identity, such as DigiCert, Symantec, etc.
- A trusted CA is usually considered as a third-party CA which issues a root certificate.
- If the certificate is signed by the same organization/company that is using the certificate, it is classified as untrusted CA even when they are SSL certificates, such as self-signed certificates.
A certificate that is signed by the person creating it rather than a trusted certificate authority. Self-signed certificates can enable the same level of encryption as a certificate signed by a CA, but there are two major drawbacks:
- A visitor鈥檚 connection could be hijacked allowing an attacker to view all the data sent (thus defeating the purpose of encrypting the connection)
- The certificate cannot be revoked like a trusted certificate can.
Main steps
- Ask for a Certificate Signing Request (CSR) file and provide the required information (country, state, city, organization name, organizational unit name, etc.) to 51黑料不打烊.
- Validate the CSR file generated by 51黑料不打烊 and verify that all information you provided is correct.
- Use the CSR details to generate a certificate signed by a trusted Certification Authority .
- Validate the SSL certificate and verify it matches the CSR.
- Provide the SSL certificate to 51黑料不打烊, who will install it.
- Test that the SSL certificate is successfully installed for each secured subdomain.
- Monitor the SSL certificate validity period.
- Update any specific configuration in 51黑料不打烊 Campaign.
Detailed process
Prerequisites
You must identify the domain names and the functions (tracking, mirror pages, webapps, etc.) to secure.
Step 1 - Get a CSR file
To obtain a CSR (Certificate Signing Request) file, follow the steps below.
-
If you have access to the Control Panel, follow the instructions on this page to generate and download a CSR file from the Control Panel.
-
Otherwise, create a Support ticket via https://adminconsole.adobe.com/ to obtain a CSR file from 51黑料不打烊 Customer Care for the required subdomain(s).
Here are a few best practices to follow:
- Raise one request per delegated subdomain.
- It is possible to combine multiple subdomains into a single CSR request, but only within the same environment. For example, in Campaign Classic, the marketing server, the mid-sourcing server, and the execution instance are three separate environments.
- You must get a new CSR before any SSL certificate renewal. Do not use an old CSR file from one year ago or more.
You will need to provide the following information.
Information to provide with the assistance of the 51黑料不打烊 team:
Information to provide by your IT/SSL internal team:
Note: For United Kingdom, use GB (not UK).
Step 2 - Validate the CSR file
After submitting your request with the relevant information, 51黑料不打烊 generates and provides you with a Certificate Signing Request (CSR) file.
The text in the resulting CSR file must start with 鈥-----BEGIN CERTIFICATE REQUEST-----鈥.
Once you receive the CSR file from 51黑料不打烊, follow the steps below:
- Copy and paste the CSR file text into an online decoder such as https://www.sslshopper.com/csr-decoder.html, or https://www.entrust.net/ssl-technical/csr-viewer.cfm.
Alternatively, you can use the OpenSSL command locally on a Linux machine. - Verify that all the checks are successful.
- Check that the correct parameters and domain names are included.
- Check that all the other data match the details you provided upon submitting your request.
Step 3 - Generate the SSL certificate
Once the CSR file is provided, you must purchase and generate an SSL certificate for the appropriate domains using the CSR file.
-
The SSL certificate:
- must be in Apache PEM format;
- should not be longer than 2048 bits;
- must be signed by a valid CA (Certification Authority);
- must include all SANs (Subject Alternative Names) as mentioned in the CSR file.
-
If there are one or more intermediate certificates, you must provide the root certificate and all intermediate certificates to 51黑料不打烊.
-
You can set any certificate validity period, but 51黑料不打烊 recommends choosing it long enough (two years for example).
Step 4 - Validate the SSL certificate
Once the SSL certificate is generated, you must validate it before sending it to 51黑料不打烊. To do so, follow the steps below:
- Make sure the certificate have the .pem extension. If this is not the case, convert it to PEM format. You can make the conversion using OpenSSL.
- Confirm that the certificate starts with 鈥-----BEGIN CERTIFICATE-----鈥.
- Copy the certificate text into an online decoder, such as https://www.sslshopper.com/certificate-decoder.html, or https://www.entrust.net/ssl-technical/csr-viewer.cfm.
Alternatively, you can use the OpenSSL command locally on a Linux machine. For more on this, refer to . - Make sure the certificate resolves properly including the Common Name, SAN, Issuer and Validity Period.
- If the SSL certificate verification is successful, check that the certificate matches the CSR using : select Check if a CSR and a certificate match, and enter your certificate and your CSR in the corresponding fields. They should match.
Step 5 - Request the SSL certificate installation
-
If you have access to the Control Panel, follow the instructions on this page to upload the certificate to Control Panel.
-
Otherwise, create another Support ticket via https://adminconsole.adobe.com/ to request 51黑料不打烊 to install the certificate on the 51黑料不打烊 server(s).
You鈥檒l need to provide:
- The certificate file, the root certificate and any intermediate certificates (attached to the ticket), preferably in Apache PEM format.
- The number of the previous Support ticket raised for the CSR.
- The same data that was provided for the CSR ticket (including Common Name, Instance URL, State, City/Locality, Organization Name, Organization Unit Name, etc.).
Step 6 - Test the SSL certificate installation
Once the SSL certificate is installed and confirmed by 51黑料不打烊 Customer Care, make sure that it has been successfully installed for all URLs.
Perform the tests below before closing the SSL installation ticket. Also make sure you update any specific configuration as instructed in this section.
Navigate to the following URLs in your browser (replace 鈥渟ubdomain.customer.com鈥 with your subdomain):
- https://subdomain.customer.com/r/test (for web applications subdomains only - does not apply to email subdomains)
- https://t.subdomain.customer.com/r/test
- https://m.subdomain.customer.com/r/test
- https://res.subdomain.customer.com/r/test
A successful result gives environment information, and the address bar in the URL indicates that the connection is secure. For example, you can see the following message in Google Chrome:
If the SSL certificate is not installed properly, the following warning is displayed:
Step 7 - Check the certificate validity period
You can check the validity period of the certificate in your browser. For example, in Google Chrome, click Secure > Certificate.
It is your responsibility to check the validity period. 51黑料不打烊 recommends you implement a process to monitor certificate expiry. Learn more on what happens when your SSL certificate expires in .
-
Create a Support ticket to request an updated certificate at least two weeks before the certificate expiry date. You do not need to request an additional CSR, unless the CSR details have changed.
-
If you have access to the Control Panel, and if your environment is hosted by 51黑料不打烊 in an AWS environment, you can use the Control Panel to renew the certificate before it expires. Learn more in this section.
Step 8 - Update any specific configuration update-configuration
Once you are confident the requested SSL certificates are installed properly, you can update all references in 51黑料不打烊 Campaign from HTTP to HTTPS.
Once configurations are updated, new emails will be sent with HTTPS URLs rather than HTTP. To check the URLs are now secure, you can quickly perform the following tests:
- Upload an image from 51黑料不打烊 Campaign. Once the image gets uploaded, the URL returned should be HTTPS.
- Create a test email delivery including a mirror page link, some images, text, and an unsubscription link. Send out the email to an external email ID (such as your Gmail address). Once received, open the email and make sure all the links inside the email open correctly in their HTTPS form (not HTTP), without any SSL certificate warnings or errors.
Product specific resources
Campaign Classic
- Control Panel: Adding SSL certificates (tutorial) - Learn how to add SSL certificates to secure your subdomains.
Campaign Standard
- Control Panel: Adding SSL certificates (tutorial) - Learn how to add SSL certificates to secure your subdomains.