SSL certification

A possible application for SSL certificates would be when using an authentication form. In such cases, users enter personal data, so security is a must. All forms that involve personal data and all e-commerce applications should always make use of encrypted communication. 

The same can be said for registration confirmation pages, unsubscribe pages, or any other web resources central to your marketing activities: your customers must always feel that they are operating in a secure online environment.

SSL certificates enable the web browser and the web server to build a secure, encrypted connection. A "handshake" process which establishes the session takes place behind the scenes, this is done by the web browser.

Once the secure connection is made, it is then represented by a small padlock icon in the browser’s address bar and the "https" (the ‘s’ is for secure) prefix in the URL, which are the only visible indications of a secure session in progress. In contrast, when a user opens an unsecured website (i.e. one that is not protected with an SSL certificate), the security indicators are missing. 

At this time, browser do not explicitly label unsecure sites. If the websites uses an SSL certificate but it is not valid, the browser’s security mechanism triggers a warning to the user, reminding them that the site is not secure and that sensitive data might be intercepted by third parties. Faced with such a warning message, most users will be reluctant to enter data into a form.

Once you have decided that you want to use encryption in communication with users, the goal would be that a secure web site can be accessed without triggering any warnings. A correctly implemented URL would look like this:

https://newsletter.yourdomain.com/u/register.php?CID=12345678&f=12345

Note: As an alternative, the link above could also be converted to "normal" HTTP by removing the 's' in the URL – but in that case you would risk that users’ personal data might be stolen.

Emarsys offers two ways to obtain a valid certificate.

The other option is to obtain the certificate yourself., as described below.

Note: This section assumes that you are already familiar with creating forms in the Emarsys application.

To obtain a certificate, proceed as follows:

• Create a Certificate Signing Request (CSR) file for the domain you are using. This file contains information about the domain ("who are you"). See below for further information on CSR files.

Go to a Certification Authority (CA) and buy a certificate. Certificates are available in different types and with different contract periods. It is important that you make sure to choose the most appropriate from the following:

• Single Certificate for your domain, e.g. "newsletter.yourdomain.com".
• Wildcard Certificate for all first level subdomains below "*.yourdomain.com", which allows you to cover registration forms as well as web shops.

Both of the above options may come in different forms: Domain Validated, Organization Validated, Entity Validated. We have no preference regarding the validation status of the certificate and recommend to go with Domain Validated. For more information, refer to your CA's documentation.

• Once you have received the certificate from the CA, send the following two files to Emarsys:
  • Private key file (a .key file).
  • Certificate file (a .crt or .pem file).  This may contain the certificate chain as well.
  • Certificate chain file (a .crt or .pem file)

Sometimes the certificate and its chain are referred to as a certificate bundle.

• Emarsys will then install the certificate and link them to the domain (e.g., newsletter registration form).

A Certificate Signing Request (CSR) is an signed piece of data containing all your information (organization name, location, country, etc.) which you need when you want to buy a certificate from a Certification Authority (CA). The CA uses this information to create the SSL certificate which is then linked to the domain you created the CSR for, which is what makes the SSL connection possible.

If you need help getting information about your domain, you can simply use the Whois protocol to find out all the relevant domain information. The CSR file is linked to the domain, for which you will need to prove ownership.

Notes:

• Before a CA will issue a certificate for your domain, it will require you to prove ownership of it. The exact way to do this depends on your CA.
• You may need to temporarily remove CNAME entries pointing to Emarsys to successfully prove ownership.

It is important that all data in a CSR file is an exact match for the information used when applying for a certificate. If not, the certification process might fail, or the certificate won’t work for the domain you actually want it for.