Automatic provisioning of SSL certificates

 

Table of Contents

 

Introduction

If you are using a custom domain name for the cloud version of our service and your DNS is configured according to our best practice, we can provide a valid SSL certificate for your URL that is renewed automatically. In this article, we describe how this works and describe the requirements for using this service.

 

How we can provide a valid certificate for your domain

To get a valid SSL certificate for your URL, you need to prove to the Certification Authority that you are the owner of that domain name. You can use multiple ways to do that and one of them is HTTP validation. This means that the Certification Authority provides you with a specific file to place on your webserver. If the CA then checks your URL and finds that file on your webserver, it is considered proof that you are the owner of that domain. If you weren’t the owner, you wouldn’t be able to point that URL to your webserver.

When you request a custom domain name for your Workspace 365 instance, environment or CRDP gateway, we require you to create a CNAME DNS record that points to a DNS record in one of our domains. By doing so, you automatically point visitors of your URL to our webservers. This includes the Certification Authority where we request the SSL certificate from. This is how we can request a certificate for your URL. Note that this only works for the URLs that you point to our domains, not for any other addresses.

 

Automatic renewal

For both Workspace 365 and Clientless RDP we offer solutions where we provide a valid certificate which is automatically renewed when necessary.

You can verify if we manage the SSL certificate for your environment or Clientless RDP gateway by entering the URL in an SSL checker:

  • Workspace environment: certificate should be issued by Cloudflare, Inc
  • Clientless RDP gateway: certificate should be issued by R3, Let's Encrypt and should be valid for 90 days

 

Requirement when using CAA records

The following information is only relevant if you use CAA records for your domain, or are planning to do so. If you do not currently use CAA records, you do not have to start using them to benefit from this service.

When you own a domain name, you can restrict which Certification Authorities you want to allow to provide SSL certificates for your domain. This is done with so-called CAA records in which you specify the domains of certain authorities. CAA records form a restriction which authorities can provide an SSL certificate for your domain. So without CAA records, there is no restriction in authorities that can be used.

If you use CAA records for your domain, we require you to include the identifying domains of the authorities we use. You can do this at the domain level or at the subdomain level.

To verify if a domain has a CAA record active, you can use DNS CAA Tester.

We require the following CAA records:

0 issue "digicert.com"
0 issue "pki.goog"
0 issue "letsencrypt.org”

Back to top