SSL certificates are required by the Emarsys API for secure data transfer.
What is SSL/TLS?
Secure Socket Layer/Transport Layer Security (SSL/TLS) is a term used to describe a protocol for secure communication in computer networks, and in order to clearly identify the communication partners, so-called SSL certificates are used. Emarsys uses SSL certificates to encrypt the access to our services and to our customers’ link domains.
Why use SSL/TLS?
A possible application for SSL certificates would be when using an authentication form. In such cases, users enter personal data, so security is a must. All forms that involve personal data and all e-commerce applications should always make use of encrypted communication.
The same can be said for registration confirmation pages, unsubscribe pages, or any other web resources central to your marketing activities: your customers must always feel that they are operating in a secure online environment.
SSL certificates enable the web browser and the web server to build a secure, encrypted connection. A "handshake" process which establishes the session takes place behind the scenes, this is done by the web browser.
Once the secure connection is made, it is then represented by a small padlock icon in the browser’s address bar and the "https" (the ‘s’ is for secure) prefix in the URL, which are the only visible indications of a secure session in progress. In contrast, when a user opens an unsecured website (i.e. one that is not protected with an SSL certificate), the security indicators are missing.
At this time, browser do not explicitly label unsecure sites. If the websites uses an SSL certificate but it is not valid, the browser’s security mechanism triggers a warning to the user, reminding them that the site is not secure and that sensitive data might be intercepted by third parties. Faced with such a warning message, most users will be reluctant to enter data into a form.
Once you have decided that you want to use encryption in communication with users, the goal would be that a secure web site can be accessed without triggering any warnings. A correctly implemented URL would look like this:
Note: As an alternative, the link above could also be converted to "normal" HTTP by removing the 's' in the URL – but in that case you would risk that users’ personal data might be stolen.
How to get an SSL certificate
Emarsys offers two ways to obtain a valid certificate.
1. Let Emarsys install a certificate for you
We can install a certificate for you, which is based on Let's Encrypt.
For this option, you do not need to do anything. It is also entirely free of charge. Emarsys will handle the generation of all the necessary files, and will take care of installing it for you.
The level of encryption used in this method is RSA-signed and uses 2048-bit RSA keys, which meets industry standards. A Let’s Encrypt certificate is valid for 90 days and will be automatically renewed.
If you wish to use this solution, please inform your Implementation Consultant.
If you are using CDN, we need to deploy the relevant certificate's private key to our CDN partner's infrastructure. Please note that in this case you cannot use Let's Encrypt.
2. Obtain a certificate yourself
The other option is to obtain the certificate yourself, as described below.
Note: This section assumes that you are already familiar with creating forms in the Emarsys application.
To obtain a certificate, proceed as follows:
- Create a Certificate Signing Request (CSR) file for the domain you are using. This file contains information about the domain ("who are you"). See below for further information on CSR files.
Go to a Certification Authority (CA) and buy a certificate. Certificates are available in different types and with different contract periods. It is important that you make sure to choose the most appropriate from the following:
- Single Certificate for your domain, e.g. "newsletter.yourdomain.com".
- Wildcard Certificate for all first level subdomains below "*.yourdomain.com", which allows you to cover registration forms as well as web shops.
Both of the above options may come in different forms: Domain Validated, Organization Validated, Entity Validated. We have no preference regarding the validation status of the certificate and recommend to go with Domain Validated. For more information, refer to your CA's documentation.
- Once you have received the certificate from the CA, send the following two files to Emarsys:
- Private key file (a .key file).
- Certificate file (a .crt or .pem file). This may contain the certificate chain as well.
- Certificate chain file (a .crt or .pem file)
Sometimes the certificate and its chain are referred to as a certificate bundle.
- Emarsys will then install the certificate and link them to the domain (e.g., newsletter registration form).
For your own safety, please always remember to protect your sensitive data with a password when submitting it to Emarsys. The password should be sent via a separate channel (e.g. by phone).
If you are using CDN, we need to deploy the relevant certificate's private key to our CDN partner's infrastructure.
A Certificate Signing Request (CSR) is an signed piece of data containing all your information (organization name, location, country, etc.) which you need when you want to buy a certificate from a Certification Authority (CA). The CA uses this information to create the SSL certificate which is then linked to the domain you created the CSR for, which is what makes the SSL connection possible.
If you need help getting information about your domain, you can simply use the Whois protocol to find out all the relevant domain information. The CSR file is linked to the domain, for which you will need to prove ownership.
- Before a CA will issue a certificate for your domain, it will require you to prove ownership of it. The exact way to do this depends on your CA.
- You may need to temporarily remove CNAME entries pointing to Emarsys to successfully prove ownership.
It is important that all data in a CSR file is an exact match for the information used when applying for a certificate. If not, the certification process might fail, or the certificate won’t work for the domain you actually want it for.