This document outlines the certificate provisioning configuration on the Console. This process is done in the following situations:
- To prevent API calls to SAP Customer Data Cloud resources from being considered as 3rd Party (and their subsequent blocking on some browsers).
- When configuring SSO using a Central Login Domain architecture.
For this solution to work effectively, every site connected to the API Key needs to use a Domain Prefix with an SSL Certificate connected to it. Whenever a new site or subdomain is added to the API key's list of Trusted Site URLs on the Site Settings page of the Console, this certificate must be re-generated and domain ownership re-verified for all subdomains.
SSL certificate provisioning is only available for the US, EU and AU data centers.
Important First Steps
A few things need to be completed prior to creating a Domain Prefix in the Console.
- Ensure that all currently used subdomains are listed in the Trusted Site URLs section of the Site (API Key) the certificate will be created on, in the Site Settings page of the Console.
- Decide on the domain prefix you will be using for all of the subdomains.
Open the Certificate Provisioning page of the Console, click Generate New Certificate and enter the prefix you wish to use, under API domain prefix. Then, create CNAME records for all of the proxy URLs, pointing to the sslproxy listed in the info box of that page in the following structure: <siteID>.gigya-api.com.
Your Site ID is listed after the site name in the Sites page of the Console.
- Open the Certificate Provisioning page of the Console.
- Click Generate New Certificate.
- Enter the API domain prefix, which will be prepended to all the subdomains in the list. The resulting subdomains, including the prefix, will be the CNAME aliases used when creating CNAME records.
- Choose the domain control validation method:
- Email: validation emails will be sent out, based on WHOIS information registered for these domains.
- DNS: the domain will be validated based on DNS registration information.
- Click Generate.
If everything is set up correctly, on the Certificate Provisioning page you will see the details of the request.
Email Verification (Deprecated)
The ability to choose Email verification has been deprecated in favor of DNS verification. This decision was made due to the amount of overhead placed upon clients when needing to verify many sites when new certificates are generated.
Anyone currently using email verification may continue to do so, however, the option will no longer be selectable as an option in the Certificate Provisioning configuration for new certificates. Any client that needs to generate a new certificate and continue to use Email verification will need to open a support ticket.
If you chose email verification, emails will be sent to the following 5 addresses:
In addition to the above default addresses, if the WHOIS information is publicly available, emails will also attempt to be sent to the domain's Registrant, Technical Contact, and Administrative Contact.
The verification emails will come from Amazon Certificates (firstname.lastname@example.org) and their subject will be "Certificate approval for <Your-Domain-Name>".
For additional information, see https://aws.amazon.com/certificate-manager/faqs/#email_validation.
If you need to resend verification emails for any of the subdomains, you can click theicon next to the appropriate entry and confirm the email resend.
When choosing DNS Validation you will be provided a CNAME record that must be installed on all domains in the certificate, and once verified, the provisioning will continue. For more information see Amazon's Documentation.
If certificate creation failed you will see it noted on the Certificate Provisioning page, along with the reason it did not complete.
Finalizing The Certificate
Once the certificate is created and active, add the Prefix to the Site Settings page of the Console.
Be sure to press the Save Settings button at the bottom right of the Site Settings page.
Setup of the SSL Certificate is now complete.