Searching...
  1. Help Center Home
  2. Help & Support
  3. Configuring Secure Connections with TLS Certificates (SSL Certificates)

Configuring Secure Connections with TLS Certificates (SSL Certificates)

Overview

Secure connections to your CIMcloud website are provided via an industry-standard TLS Certificate (also referred to as an “SSL certificate”), which encrypt communication between people’s web browsers and the website.

You can confirm the connection is secure if the url starts with “https://” and your web browser displays a lock icon in the address bar.

Certificate Setup and Management

The TLS certificate is included as part of your CIMcloud website and is provisioned, renewed, and managed by the CIMcloud platform. You do not need to purchase or manage the certificate while CIMcloud is hosting the website.

However, if you are using CAA DNS records follow the steps in the following section.

Custom Domain DNS Configuration

1.(Optional Setup) Certification Authority Authorization (CAA) DNS Records

CAA records can be added to your custom domain’s DNS to restrict which certificate authorities can be used to generate TLS Certificates for your domain. This is not required for the CIMcloud platform, however it can be enabled for additional security of your domain.

If you choose to add CAA records to your domain they must allow certificates to be issued by “letsencrypt.com”. Otherwise CIMcloud cannot provision or renew certificates for your CIMcloud website. You should follow these steps if using CAA records:

  1. You will need to access the DNS hosting provider for the website’s custom domain
  2. In DNS for the website domain, edit the CAA record and add letsencrypt.org to allow the issuance of non-wildcard certificates.
    1. Note: Your DNS provider can provide specific instructions for doing this if you are unsure of the steps required.
  3. To test the CAA changes, go to https://caatest.co.uk/, enter your website domain, and verify that [issue “letsencrypt.com”] is listed

Known Incompatibilities

1. Network Solutions DNS Hosting with DNSSEC Enabled

If your custom domain is hosted by Network Solutions, DNSSEC must be disabled in order to be compatible with the process used by CIMcloud to provision, renew, and manage your website’s certificate.

If you require DNSSEC our recommendation is to move your DNS hosting to other provider that has a better implementation of DNSSEC. If that is not possible, then you will need to purchase a certificate once a year and provide it to CIMcloud. CIMcloud charges an additional annual fee for this service.

The reason for the incompatibility is Network Solution’s DNSSEC Proof of Non-Existence checks for AAAA and CAA records fail DNSSEC resolver validation for non-root addresses (such as www.). In other words, there is no corresponding NSEC record to prove the absence of the missing AAAA and CAA records. Here are some services that can test www.<your-domain>.com domain for this issue

  • https://dnsviz.net/ – under “DNSSEC options” enable “Denial of existence” and set RR Types = CAA
    • Error Message: Under “Notices” there are “proving non-existence” errors
  • https://letsdebug.net/
    • Error Message: “validation failure … nodata proof failed”

Note: You must test “www”, and you must have an A record configured for “www” for the test to be valid. The root domain appears to be working as of the time of this article and does not result in the errors above.

Was this article helpful

Yes No

Related Articles

Subscribe to receive email updates of what's new in the CIMcloud Help Center.