Configuring Secure Connections with TLS Certificates (SSL Certificates)

Overview

Secure connections to your CIMcloud website are provided via an industry-standard TLS Certificate (also referred to as an “SSL certificate”), which encrypts communication between people’s web browsers and the website.

You can confirm the connection is secure if the url starts with “https://” and your web browser displays a lock icon in the address bar.

Certificate Setup and Management

The TLS certificate is included as part of your CIMcloud website and is provisioned, renewed, and managed by the CIMcloud platform. You do not need to purchase or manage the certificate while CIMcloud is hosting the website.

For most domains no additional setup is needed. However, if any of the complex scenarios below apply to your domain you will need to make some DNS changes. Your DNS provider can provide specific instructions for doing this if you are unsure of the steps required.

Check each scenario to see if your domain requires additional setup.

Complex Scenario A: Domain is hosted by Network Solutions and DNSSEC is enabled

How to check your domain:

1. Go to https://lookup.icann.org/ and lookup your custom domain (ex: mydomain.com)
2. If ALL of these conditions are met then follow the “Additional DNS Setup” steps:
   1. Under the “Nameservers” if you see “WORLDNIC.COM” then Network Solutions is hosting the domain
   2. Under “DNSSEC Information” if you see “Delegation: Signed” then DNSSEC is enabled

Additional DNS Setup:

1. You will need to access the DNS hosting provider for the custom domain
2. In DNS for the website domain, create an additional CNAME for your domain. 
   1. Create a record for domainname.com (non-www)
      1. Type: CNAME
      2. Host / Name: _acme-challenge
      3. Value / Points To: _acme-challenge.cimcloud.com.
      4. TTL: 60 seconds
   2. Create a record for www.domainname.com (needed unless you are using a subdomain)
      1. Type: CNAME
      2. Host / Name: _acme-challenge
      3. Value / Points To: _acme-challenge.cimcloud.com.
      4. TTL: 60 seconds

Complex Scenario B: Domain is using an existing Certification Authority Authorization (CAA) DNS record and required issuer is missing

How to check your domain:

1. Go to a CAA tester such as https://caatest.co.uk/ and lookup your custom domain (ex: mydomain.com)
2. If the record is missing, this scenario does NOT apply and there is no additional CAA setup needed.
3. To check the existing record has the required issuer:
   1. If “Complex Scenario A” above applies (and you will be using the _acme-challenge CNAME records)
      1. [issue “sectigo.com”] must be listed
   2. Otherwise
      1. [issue “letsencrypt.com”] must be listed
4. If the issuer is missing you will need to follow the “Required DNS Setup” setups

Additional DNS Setup:

1. You will need to access the DNS hosting provider for the custom domain
2. In DNS for the website domain, edit the CAA record and add this missing issuer identified above to allow the issuance of non-wildcard certificates.
3. To test the CAA changes, go to https://caatest.co.uk/, enter your website domain, and verify that the issuer is now included.