SSL Certificate Upload
MAS allows you to upload your SSL key and certificate to your configuration. In combination with the CNAME feature, you can provide SSL encryption for your own domain.
You will need an SSL key and certificate signed by a certificate authority (CA). Typically your certificate authority will send you a set of files. One of them is the SSL certificate private key file, the other one is the SSL public certificate file. Some certificate authorities however might also provide a public certificate bundle file containing multiple public certificates (a certificate chain). The private key and public certificate files are usually in PEM format, these are just plain ASCII text files which you can open with any text editor. For private key files they will contain something like the following:
-----BEGIN PRIVATE KEY----- ENCRYPTED PRIVATE KEY -----END PRIVATE KEY-----
Public certificate files will contain one or more of the following text:
-----BEGIN CERTIFICATE----- ENCRYPTED PUBLIC CERTIFICATE -----END CERTIFICATE-----
- Login to your MAS account. and under "Configurations" choose "Static Content".
- Click on "Configurations" in the top menu.
- Click on the configuration you wish to add the SSL certificate to.
- Click on "Settings" in the left menu.
- Change the SSL dropdown box selection to "SSL only (HTTPS+SPDY only).
- Copy and paste the contents of your private key file into the "SSL Key" field.
- Copy and paste the contents of your public certificate file or public certificate bundle file into the "SSL Certificate" field.
- In the "Do you want to use your own domain name?" field enter the domain name you want to use with your certificate, this is typically the common name or CN of your certificate. If your CN is a wildcard (*.example.com) you can enter any domain name that matches your wildcard CN.
- Save your configuration. Activate it if it is not already activated.
- Modify your domains DNS record, create a CNAME record for the domain name you entered in step 6 and set it to point to your configuration's Griffin MAS subdomain (e.g., ssl-t1.griffinmas.com). Note that you might have to wait until your DNS changes has propagated across all the DNS servers. This can take anywhere between 1-8 hours.
We are using a method called SNI or Server Name Indication to allow multiple SSL certificates to be used. This is a relatively new extension to TLS. Some very old web browsers may not support this feature and will get our default Griffin MAS SSL certificate instead of your uploaded certificate. However at the time of writing almost all modern browsers, including those on mobile (Android Honeycomb or later, iOS 4.0 or later), already support SNI. SNI is also supported on Internet Explorer 7 and onwards.
You must use a CNAME that matches your SSL certificate Common Name. If there is a mismatch between your CNAME and your certificate's Common Name, the browser will issue a warning about this error.
Some certificate authorities issue SSL certificates that require chaining with intermediate and root CA certificates in order to properly validate. If your CA provided you with this type of certificate you may need to do additional steps in order to create what's called a certificate bundle that you can copy and paste. Your CA should provide you with instructions on how to perform this step or already provided a certificate bundle ready to use.