StackPath offers a free SSL certificate to help protect your web traffic through your site's domain. This article will show you two different methods for requesting and validating the Free StackPath SSL Certificate to deliver your content over HTTPS.
Using the Free EdgeSSL Certificate is simple, as it will cover any domain or subdomain listed in your Settings Tab under Delivery Domains.
You will need access to your DNS provider and your StackPath Control Portal. This article assumes you have created a Stack and Site for your desired delivery domain.
Requesting the Certificate
Even though the system allows you to have wildcard domains listed under the Delivery Domains section, the system will not let you issue an EdgeSSL to cover the wildcard. Please follow this guide on how to upload your own wildcard SSL certficate.
- Login to the StackPath Control Panel
- Select Sites on the left side navigation
- Select the Site you want to generate an SSL certificate for
- Navigate to the Settings tab and ensure the Delivery Domains are present. You may have multiple subdomains in this list and have the option to cover all of them with the EdgeSSL Certificate. (your Edge Address will be here by default)
- Return to the site Settings and request the free SSL from the EdgeSSL tab by clicking the Create Certificate button, and then Generate on the following screen. (We recommend setting the Minimum TLS version to 1.2)
- Select the domains you wish to generate an SSL Certificate. You may cover any of the Delivery Domains in this list, or add more. Once you select the domains you want to be covered, select Continue to Validation.
From here, there are a couple of different methods you can use to validate the SSL:
Select your preferred method, then click Create Certificate
Using DNS Record Validation
This is our recommended method for full-site integrations of existing websites. This way the SSL certificate can be requested and activated before switching your DNS records, avoiding potential downtime.
The EdgeSSL certificate can use a DNS challenge to validate ownership of a domain. In a DNS challenge, we create a special DNS record using the values in Step 1 below. The system then queries for this record. Once the record is detected, the certificate will be shown as Trusted.
This is an automatic process if you have already integrated the StackPath DNS. If you are using a different DNS provider, we recommend that you complete the following steps quickly to avoid a long wait for validation.
If you are issuing the EdgeSSL for more than one domain, e.g. yourdomain.com and yourdomain.net, you will need to create the record for each domain in their respective DNS Manager.
- Once we have completed Requesting the Certificate, we see the values needed to create our DNS Validation record.
Example of Validation record:
- Upon creating the CNAME, click I've configured my DNS. Continue. Your request will be checked for verification and final CA Signing and should show as trusted within a few minutes
Checking the Validation
There are occasions in which the system takes some time to validate the certificate. We can check our work, and make sure that the DNS record we created was not the issue by using a tool like WhatsMyDNS
- Navigate to the EdgeSSL Tab of your Site and click the link to get back to the page with your CNAME values:
- Perform a CNAME check on WhatsMyDNS with the name text as a subdomain.
- Our example site is stackpathsupport.com
- The text we copied was _a06d9972047fa947714ced2931d3775b
- We will check for _a06d9972047fa947714ced2931d3775b.stackpathsupport.com
- If we see records returning as below, then we know the record is correct.
- If we do not see anything as below, then we may need to make sure the record was formatted correctly or that we are checking for the correct record. We also might just need to wait a little longer, perhaps due to a TTL issue.
If you run into any problems completing the validation of your SSL Certificate, please feel free to reach out to Support at any time.
Using HTTP Validation
This method works well for generating SSL certificates for custom subdomains on static asset integrations and for new sites which do not have heavy traffic yet.
The DNS records for the covered delivery domains have to be pointed at StackPath before the SSL can be validated. This means that there will be a brief period of Bad SSL warnings on those domains.
The other method of requesting a Free EdgeSSL is HTTP verification. With the DNS record for the site pointing to StackPath's IP address (whether via A record or CNAME), our CDN will serve an HTML file upon request from Sectigo verifying ownership of the domain.
- Once we have completed Requesting the Certificate, we see the directions for pointing DNS records at StackPath. Ensure that each of your covered delivery domains have records. As an example:
- A Record pointing stackpathsupport.com -> 18.104.22.168
- CNAME pointing www.stackpathsupport.com -> f5i4h7q3.stackpathcdn.com
StackPath SSL certificates are generated for 90 days at a time and automatically renewed 30 days before expiration.
For automatic renewal to take place, you must point the DNS of each of the domains you select at StackPath - To add additional domains, add a Delivery Domain on the Settings page.