Overview
You can use this document to learn how to create and manage SSL certificates.
By default, when you create a site, Stackpath automatically creates a default SSL to cover the Edge Address associated with the site. You can use the Edge Address for Static Assets Integrations for secure delivery from the CDN.
In certain cases of Static Asset Integration, you will be required to include the protocol to rewrite URLs. As a result, you must use https:// for the protocol for secure content delivery.
Add a custom SSL certificate to an existing Site
You can use these instructions to add your own (or third-party) SSL certificate, private key, and CA bundle via a shared IP address and SNI to an existing DNS zone. (If you have not already created a DNS zone, see Setting up StackPath DNS.)
Your SSL certificate can be a SAN certificate to include multiple domains or subdomains.
Before you begin, make sure you have the following information available:
A certificate (also known as a public key) | This key is sent to visitors and is used as the initial key for data encryption. |
A private key | This key is used to decrypt information that was encrypted by the public key. |
A certificate authority bundle | This key is sent from a Certificate Authority and is used to verify the validity of your SSL certificate. |
At a high-level, to upload a certificate, you will need to:
- Upload the keys and CA bundle
- Add your delivery domain
- Change the DNS records for the delivery domain
- In the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select your site.
- In the left-side navigation menu, click EdgeSSL.
- Next to Custom Delivery Certificate, click Create Certificate.
- Under Upload a Certificate, click Upload.
- Enter, paste, or upload the certificate, private key, CA bundle, and then click Save.
- In the left-side navigation, under Sites, click Settings.
- In Delivery Domains, click Add Delivery Domain.
- Enter the name of the domain covered by the newly added certificate, and then click Add.
-
Note: Your certificate should cover all delivery domains and subdomains you intended to integrate with StackPath. If your certificate does not, then it will not allow HTTPS traffic unless you’ve added additional certificates to cover these domains or subdomains.
-
- In the top, right corner of the Settings screen, copy the Site's Edge Address. You will need this information later.
- Access your DNS provider, and locate your records. Create a new record or update an existing record for your custom subdomain.
- For Record, select CNAME.
- For Name, enter CDN.
- For Value, paste the site's Edge Address you copied earlier.
- For TTL, select Automatic or lowest the value.
Changes may take 24 hours to propagate. Once DNS settings have propagated, the custom delivery domain can safely be used in place of the Edge Address for any static asset integration.
As an optional step, you can use www.whatsmydns.net to check the propagation status of your subdomain.
For more information, please see How-To Use the StackPath Edge Address.
Add a free SSL certificate to an existing Site
You can use these instructions to obtain a free SSL certificate generated by StackPath.
StackPath offers a free SSL certificate to help protect your web traffic through your site's domain. This certificate will cover any domain or subdomain listed in the Delivery Domains table.
We highly recommend covering all Delivery Domains with either our free SSL certificate, or a custom one.
StackPath SSL certificates are generated for 90 days at a time and are automatically renewed 30 days before the expiration date. To automatically renew your certificate, your domain must point to the CDN.
You can use this document to learn how to request and validate the Free StackPath SSL Certificate and deliver your content over HTTPS.
Note: To use an SSL certificate to cover a wildcard domain, see Learn About Wildcard SSL Certificates.
Step 1: Request the certificate
- In the StackPath Control Portal, in the left-side navigation, click Sites.
- Locate and select the desired site.
- In the left-side navigation, under Sites, click Settings.
- Under Delivery Domains, review the table to ensure that your domains are listed.
- You can only generate an SSL certificate for the domains listed in your Delivery Domains table.
- For example, if your site is yourdomain.com, then ensure that yourdomain.com and www.yourdomain.com are listed. StackPath recommends that the SSL certificate covers these two domains.
- If you have additional subdomains for your site, then you can add them to this list. To add a domain, click + Add Delivery Domain, enter your domain, and then click Save.
- In the left-side navigation, under Sites, click EdgeSSL.
- Next to Custom Delivery Certificate, click Create Certificate.
- Under Free Dedicated Certificate, click Generate.
- Under Delivery Domains, mark all the domains to add to the certificate, and then click Continue to Validation.
- Note: At this point, the certificate will begin to provision. If you navigate away from this screen, you will not be able to complete the process. As a result, you will need to delete the pending certificate, and begin this process again. To delete a pending certificate, in the EdgeSSL screen, next to Free Dedicated Certificate / Pending, click the ellipses on the right, click Delete, and then click Delete again.
- Your selected domains must point to StackPath so that StackPath can verify ownership for the selected domains.
Click Show Instructions to follow the on-screen instructions for the desired validation option.
There are two validation options:- With DNS Challenge Validation, you will create a CNAME record on your domain's DNS with a StackPath-generated string. StackPath will verify the record and then issue the SSL certificate.
- With HTTP Request Validation, you will create a CNAME record to point your domains to your Site's edge address. StackPath will verify the domains' ownership through an HTTP request.
- When you have updated your DNS settings, click I've Configured my DNS. Continue.
Step 2: Review the validation
There are occasions where StackPath may take some time to validate the certificate. To avoid a delay, you can verify that the DNS records were created correctly.
- Access https://www.whatsmydns.net/.
- In the field, enter your DNS URL.
- To locate your DNS URL, in the portal, next to Verify Domain Ownership, click Show Instructions. In the table under DNS Challenge Validation, copy the information under the Name column. The Name will be similar to _acme-challenge.yourdomain.com.
- In the whatsmydns page, select CNAME.
- Click Search.
- A successful return will display green checkmarks, along with the StackPath-specific domain name listed in the portal.
- An unsuccessful return will display a red x. To troubleshoot, make sure you copied the correct value. Additionally, you may need to wait for the newly created DNS record to fully propagate, which can take up to 24 hours to complete.
- Repeat these steps for every entry in the table.
If you add any additional Delivery Domains or subdomains, then you will need to delete your free SSL certificate and regenerate a new one to cover these new domains.