Emarsys needs a valid SSL certificate for its fundamental features to work. Even basic functions, like delivering images and resolving links, require https - so an SSL certificate.
Contents:
What is SSL/TLS?
Secure Socket Layer/Transport Layer Security (SSL/TLS) is a term used to describe a protocol for secure communication in computer networks, and in order to clearly identify the communication partners, so-called SSL certificates are used. Emarsys uses SSL certificates to encrypt the access to our services and the presence of a valid cert is vital to:
- link and image domain functions
- delivering any content
- link tracking
Why use SSL/TLS?
One good example to highlight the importance of a valid SSL certificate is an authentication form. In such cases, users enter personal data, so security is a must. All forms that involve personal data and all e-commerce applications should always make use of encrypted communication.
The same can be said for registration confirmation pages, unsubscribe pages, or any other web resources central to your marketing activities. Your customers must always feel that they are operating in a secure online environment.
SSL certificates enable the web browser and the web server to build a secure, encrypted connection. A "handshake" process which establishes the session takes place behind the scenes through the web browser.
Once the secure connection is made, it is represented by a small padlock icon in the browser’s address bar and the "https" (the ‘s’ is for secure) prefix in the URL. These are the visible indications of a secure session in progress. In contrast, when a user opens an unsecured website (i.e. one that is not protected with an SSL certificate), the security indicators are missing.
If a website uses an invalid SSL certificate, the browser’s security mechanism triggers a warning to the user, letting them know that the site is not secure and that sensitive data might be intercepted by third parties. Faced with such a warning message, most users can become reluctant to interact with a page.
Once you decided to use encryption to communicate with the users, the goal is to offer a secure web site that can be accessed without any warnings. A correctly implemented secure URL looks like this:
https://newsletter.yourdomain.com/u/register.php?CID=12345678&f=12345
How to get an SSL certificate
You have the two ways to get an SSL Certificate:
In general, it can be argued that giving us your purchased certificate to use offers you no major advantages. Certificate renewal is an ongoing cost and maintaining the cert will also cost you time and effort.
Emarsys can issue you a working certificate and maintain it too at no cost to you.
Self-signed certificates are not supported, they are not an option with Emarsys currently. Only certificates from trusted CAs (Certificate Authority) work. Also, we only accept certificates that are valid at least for 12 months.
CAs from within the customers own infrastructure are not trusted globally, therefore are not supported and seen as internal only certificates.
1. Let Emarsys handle this
For this option, you do not need to do anything. It is also entirely free of charge.
Emarsys handles the generation of all the necessary files, and takes care of installing them for you too. We install a certificate that is based on Let's Encrypt.
The level of encryption used in this method is RSA-signed and uses 2048-bit RSA keys, which meets industry standards. A Let’s Encrypt certificate is valid for 90 days and will be automatically renewed.
If you wish to use this solution, please inform your Implementation Consultant.
If you choose Emarsys to handle the SSL certificate for you AND your domain uses a CAA record please add the entry below to the existing CAA record. Otherwise Emarsys can't issue the certificate.
CAA 128 issue "letsencrypt.org"
What is a DNS CAA record?
A Certification Authority Authorization (CAA) record uses your DNS records to restrict which companies are allowed to issue SSL certificates for the domains that you own.
Restricting this with a CAA record reduces the chance of an SSL certificate being issued to someone that's not you, and provides logging to report in such cases.
2. Obtain a certificate yourself
The other option is to buy the certificate from a Certification Authority (CA), and then forward it to Emarsys for installation. The process described here is a generic one, there may be differences with your CA provider.
Always raise a support request to extend your custom SSL before its expiration date.
If you are using CDN, we need to deploy the relevant certificate's private key to our CDN partner's infrastructure. Please note that in this case you can only submit certificates that are valid at least for 12 months.
For your own safety, please always remember to protect your sensitive data with a password when submitting it to Emarsys. The password should be sent via a separate channel (e.g. by phone).
To obtain a certificate, proceed as follows:
- Create a Certificate Signing Request (CSR) file for the domain you are using. This file contains information about the domain ("who are you"). See below for further information on CSR files.
Go to a Certification Authority (CA) and buy a certificate. Certificates are available in different types and with different contract periods. It is important that you make sure to choose the most appropriate from the following:
- Single Certificate for your domain, e.g. "newsletter.yourdomain.com".
- Wildcard Certificate for all first level subdomains below "*.yourdomain.com", which allows you to cover registration forms as well as web shops.
Both of the above options may come in different forms: Domain Validated, Organization Validated, Entity Validated. We have no preference regarding the validation status of the certificate and recommend to go with Domain Validated. For more information, refer to your CA's documentation.
- Once you have received the certificate from the CA, send the following files to Emarsys:
- Private key file (a .key file).
- Certificate file (a .crt or .pem file). This may contain the certificate chain as well.
- Certificate chain file (a .crt or .pem file)
Sometimes the certificate and its chain are referred to as a certificate bundle.
- Emarsys will then install the certificate and link them to the domain.
CSR Files
A Certificate Signing Request (CSR) is a signed piece of data containing all your information (organization name, location, country or region, etc.) which you need when you want to buy a certificate from a Certification Authority (CA). The CA uses this information to create the SSL certificate which is then linked to the domain you created the CSR for, which is what makes the SSL connection possible.
If you need help getting information about your domain, you can simply use the Whois protocol to find out all the relevant domain information. The CSR file is linked to the domain, for which you will need to prove ownership.
Notes:
- Before a CA will issue a certificate for your domain, it will require you to prove ownership of it. The exact way to do this depends on your CA.
- You may need to temporarily remove CNAME entries pointing to Emarsys to successfully prove ownership.
It is important that all data in a CSR file is an exact match for the information used when applying for a certificate. If not, the certification process might fail, or the certificate won’t work for the domain you actually want it for.