Obtaining and Setting Up Your SSL Certificate

Skip to end of metadata
Go to start of metadata

Overview

In order to use a custom CNAME and avoid browser warnings related to 3rd party cookies, Gigya can act as a client proxy for your site, thus eliminating browser security warnings. In order to do so, Gigya uses an SSL certificate issued to your subdomain to encrypt your user's information transmitted during social login.  A general overview of the process can be found in our 3rd Party Cookies documentation. The following is a more detailed explanation.

Before You Set Up Your Certificate:

For this solution to work effectively, every site connected to the API Key needs to use a Domain Prefix with an SSL Certificate connected to it. Whenever a new site or subdomain is added to the API key's list of Trusted Site URLs on the Site Settings page of the Gigya Console, this certificate must be re-generated and domain ownership re-verified for all listed subdomains.

  1. Ensure that all domains and subdomains needed for the API key are listed correctly in the Trusted Site URLs section of the Site Settings page in the Gigya Console.
  2. Determine the Prefix (alias) that will be used for all the Trusted URLs of your site (e.g., login.yoursite.com or social.yoursite.com) as the CNAME.
  3. Contact your Implementation Consultant to receive the Site ID of whichever API key you are setting up the SSL Certificate for and to make sure that they have the correct Prefix that you defined above.
  4. Create a CNAME alias in your DNS record for each of the listed sites using the pre-defined Prefix and point them to <siteID>.gigya-api.com.

Why an SSL Certificate?

There are a number of reasons:

  1. Using a CNAME (and certificate) instead of socialize.gigya.com allows you to preserve the site branding and user experience that you've invested so much time and effort in.
  2. Because without one, every time your user is redirected from login.yoursite.com to Gigya's servers, their browser will warn them with a security message. Using an SSL certificate verifies that the redirect to Gigya's servers is a trusted process, thus eliminating this security popup for your site visitors experience.
  3. Using an SSL certificate also ensures that data transmitted to and from the browser is encrypted, reinforcing trust between you and your visitors and helping to prevent Man-in-the-middle attacks. 

A Few Notes About Certificates

  1. Gigya can obtain a certificate on your behalf as part of your subscription. When we do, we use Comodo.
  2. For the best user experience possible, we require a SAN certificate.
  3. For security reasons, Gigya will not install wildcard SSL certificates.
  4. Gigya does offer Multi-Domain certificates under certain circumstances.

What Is A Multi-Domain Certificate

multi-domain certificate is an SSL certificate that can be used for multiple (pre-defined) domains, i.e., myfirstsite.com and mysecondsite.net and subdomain.mythirdsite.mobi. Multi-Domain certificates differ from wildcard certificates in that a wildcard certificate can be used for all sub-domains of a single FQDN without defining what those URLs may be beforehand (e.g., *.mysite.com), whereas a multi-domain certificate can be used for multiple FQDNs (up to 100 unique URLs per certificate). Gigya does not support wildcard certificates due to security issues that can arise from not pre-defining the authorized URLs.

A multi-domain certificate would be best used if your company has multiple TLDs, i.e., .net, .com, .co.uk, etc.

Obtaining and Installing the Certificate

There are several steps required in order to obtain an SSL certificate.

If you are using Option 1 where Gigya will purchase and host your certificate, once you have given the necessary data to your Implementation Consultant you will only need to verify the emails that are sent to each of the Official email addresses associated with each of the trusted domains. Once verification is complete for all domains, your SSL certificate will be automatically installed.

 

  1. For tracks 2 and 3, a CSR (certificate signing request) is generated and submitted to a Certificate Authority (CA).

    1. If Gigya is generating the CSR for you, e.g., Track 2 (below); contact your Implementation Consultant and provide us with your CSR Data:
      1. The 2-character (ISO) Country Code of the location of your website/company (i.e., US / CA).
      2. The state or province it is located within (i.e., California / British Columbia).
      3. The locality name of the location (i.e.,  Los Angeles / Vancouver).
      4. The organizational unit name of the company (i.e., IT or Support).
      5. The CNAME you set up above.
      6. An email address of the person who controls the Domain the CNAME is located on and that the SSL Certificate will be installed, for domain ownership verification, this email address must be listed in the domains WHOIS information.
         
  2. Domain verification is performed by the Certificate Authority to ensure that you own the domain listed in the certificate. Gigya only supports verification via email.
     

    Important

    Gigya only supports domain verification by email via pointing your new CNAME to <siteID>.gigya-api.com.
  3. The CA signs your certificate with their intermediate certificate(s), and sends the intermediate certificate(s) and your certificate for installation.

     

There are three different procurement tracks that Gigya supports, as illustrated below:

Regardless of track chosen, the SSL certificate must be installed on Gigya's Server.

 

CSR Data For Flows 2 and 3

CSR data is made up of the following:

DataExample
Country Name (two letter ISO)US
State or province name (full)California
Locality name (e.g., city)Mountain View
Organizational unit name (e.g., section)IT
Your CNAMElogin.yoursite.com
SSL contact emailsupport@gigya.com

Domain Verification For Flow 1

Once the CSR has been generated (flows 2 & 3 only), the domain verification process takes place. If you did not point your new CNAME to <siteID>.gigya-api.com (you can receive your siteID from your Implementation Consultant)or if you are following Track 2 or 3 point to client-proxy.<Data_Center_ID>.gigya.com, you will be asked to verify domain ownership via email. Once domain ownership has been established, the Certificate Authority will sign your SSL certificate and provide a certificate bundle.

Gigya only supports domain verification via email to the domain's registered contact addresses.

If you are following track 2 or 3 and purchasing the SSL certificate yourself, be sure your SSL certificate is compatible with Apache HTTP Server.

Installing the Certificate

For track 1, Gigya now has everything we need to install the certificate.

For track 2, you must now send the certificate bundle to Gigya for installation.

For track 3, you must now send the certificate bundle (including the intermediate and private key) to Gigya for installation.

Detailed flow chart

 

The Custom Endpoint

For flow 1, Gigya will create a custom proxy endpoint dedicated to your CNAME in the form <siteID>.gigya-api.com. You can receive the Site ID when you contact your Implementation Consultant to discuss the Prefix you will be using as an alias so that you can update the CNAME in your DNS record correctly.

For flows 2 and 3, your proxy will be client-proxy.<Data_Center_ID>.gigya.com.

As always, please contact your Implementation Consultant with any questions you may have.