Setting up hosted SSL

Jess Bezos
Jess Bezos

SSL (Secure Socket Layer) is an encryption protocol that ensures secure communications with your website. You must configure an SNI-based SSL certificate for a host-mapped domain using one of the two methods below:

  • Use the free SNI-based SSL certificate from Zendesk (recommended)
  • Use your own SNI-based certificate

If you don’t upload a certificate when you use a host-mapped domain, all help center traffic will be redirected to your default zendesk.com subdomain.

Using a Zendesk-provisioned SSL certificate

We recommend using the Zendesk-provisioned SNI-based SSL certificate for your host-mapped domain or domains if you’re on the Team, Professional, or Enterprise plans. This is included for free with your Zendesk plan. The SSL certificate covers all your host-mapped domains. Zendesk automatically renews the SSL certificate before it expires.

Your host mapping must be set up correctly before you start.

  1. In Zendesk Support, click the Admin icon (Settings icon) in the sidebar, select Settings > Security, then click the SSL tab at the top of the Security page.
  2. In the Hosted SSL section of the page, click Enable Zendesk-provisioned SSL.
  3. Click Save.

    Zendesk requests a SSL certificate from Let’s Encrypt, a third-party certificate service. It can take up to an hour to complete the request. If you have any issues, contact support@zendesk.com.

    When you add, update, or delete a host-mapped domain, Zendesk removes your current certificate and replaces it with a new certificate that covers the new host-mapped routes.

Providing your own SSL certificate

If you prefer not using Zendesk-provisioned SSL, you can get and upload your own SNI-based SSL certificate as described in this section. If you use your own certificate, Zendesk will not automatically renew it when it expires.

Because of potentially long lead times, consider your SSL options early in the process of setting up your Zendesk Support.

Getting your own SSL certificate

If you already have a SNI-based certificate for your host-mapped address, skip to Uploading the certificate below.

You can purchase a SSL certificate from a certificate authority such as DigiCert or Symantec, or from resellers such as Namecheap. You need to give the certificate authority a certificate signing request file (CSR) to create the certificate. You can generate the CSR, as described below.

Make sure any SSL certificate you purchase supports Server Name Indication (SNI) technology.

IP-based SSL certificates are not supported.

If you have multiple host-mapped brands, you only need one certificate for all of them – you don’t need a SSL certificate for each brand. However, if you add a host-mapped brand, you need to replace your existing certificate with a new one. Generate the new certificate as described in the procedure below. For more information on host-mapped brands, see Generating an SSL certificate for host-mapped brands.

To get a SSL certificate

  1. In Zendesk Support, click the Admin icon (Settings icon) in the sidebar, select Settings > Security, then click the SSL tab at the top of the Security page.
  2. In the Hosted SSL section of the page, click I do not have a certificate, and then Generate a request. A certificate signing request file (CSR) is created and downloaded to your computer.

    Generate CSR

  3. Provide the CSR file to the certificate authority.

    The certificate authority generates a SSL certificate and gives it to you so that it can be installed on our servers.

    Certificate authorities charge a fee for each request so keep the following tips in mind:

    • Before you buy, make sure your certificate authority supports SHA-2 encryption. The CSR file generated uses SHA-2 encryption
    • Make sure the certificate supports Server Name Indication (SNI) technology
    • If prompted, specify “Nginx”, “Apache” or “Apache + mod_ssl” as the desired web server
    • After the certificate authority generates the certificate file, save it so you don’t have to make another request

    We strongly discourage using wildcard certificates. If your certificate is compromised anywhere on any of the services you use, the information on all your services is at risk. You also have to replace the certificate everywhere it’s used.

Once you have a SSL certificate, the next step is to upload it as described below.

Uploading the certificate

After purchasing the SSL certificate, the certificate authority will send you an email or direct you to a page where you can download the certificate. The instructions are often unclear about what files you really need or if you should prepare them before uploading them. For guidance, see Identifying and preparing your SSL certificate.

After obtaining or preparing the SSL certificate as a PEM file as described above, upload it to our servers as follows.

  1. In Zendesk Support, click the Admin icon (Settings icon) in the sidebar, select Settings > Security, then click the SSL tab at the top of the Security page.
  2. In the Hosted SSL section of the page, click I have a certificate, then Upload certificate.

    Upload certificate

  3. Navigate to the PEM file and select it.
  4. If you have a private key associated with the certificate, click Upload private key and enter your passphrase if any. You don’t need a key if you generated the CSR file in Zendesk Support. For more information, see Getting a key file for upload.
  5. Click Save.

    The certificate will be installed on our servers.

Update the CNAME record

For either SSL option – you provide your own SSL certificate or you use Zendesk-provisioned SSL – Zendesk requires that the DNS record be a CNAME record that points to subdomain.zendesk.com. DNS “A” records are not supported.

You must configure the DNS, refer to Changing the URL of your Help Center. If there is an error in the DNS, we will remove the invalid host mapping.

Reviewing the SSL status of a certificate

You can review the SSL status (CNAME check) of your host-mapped, SSL-enabled brands in the Zendesk Support interface.

  1. In Zendesk Support, click the Admin icon (Settings icon) in the sidebar, select Settings > Security, then click the SSL tab at the top of the Security page. The SSL page displays information about your certificates:

    Certificate information

    This view of the SSL page is only displayed if you have a host-mapped, SSL-enabled domain.

  2. Refresh the page to run the SSL status check again.

Replacing a certificate

You can replace a certificate installed on Zendesk Support.

Zendesk will notify you when the certificate you provided is about the expire. If it expires before you can replace it, Zendesk will automatically replace it with a free, SNI-based SSL certificate from Let’s Encrypt, a third-party certificate service. See Getting a Zendesk-provisioned SSL certificate. You can keep the certificate or replace it with your own.

  1. In Zendesk Support, click the Admin icon (Settings icon) in the sidebar, select Settings > Security, then click the SSL tab at the top of the Security page.
  2. Click I already have a certificate and follow the steps in Uploading the certificate above.

    Replace certificate

    This view of the SSL page is only displayed if you have a host-mapped, SSL-enabled domain.

  3. If you don’t have a replacement certificate yet, click I do not have a certificate and follow the steps in Getting a SSL certificate above.

Extending HTTP Strict Transport Security (HSTS) to one year

HTTP Strict Transport Security (HSTS) is enabled by default for host-mapped, SSL-enabled domains in Zendesk Support. HSTS instructs users’ browsers to access your host-mapped domain only over SSL.

When a user types http://shop.example.com or just shop.example.com to access a SSL-enabled site that doesn’t have HSTS, the user’s browser briefly accesses the non-encrypted version of the site before being redirected to the encrypted HTTPS version. The redirect makes the user vulnerable to a man-in-the-middle attack, where a hacker exploits the redirect to redirect the user to a malicious site.

When HSTS is enabled, the site instructs the user’s browser to never load the site using HTTP. The browser automatically converts all such attempts to HTTPS requests, skipping the redirect that hackers can exploit for man-in-the-middle attacks. As long as the user accessed the site once using HTTPS, the user’s browser will know to only use HTTPS to access it.

The browser remembers the site only for a specified period. By default for Zendesk SSL-enabled domains, the period is 1 day. You can increase the period to 1 year.

This feature is only available if you have a host-mapped, SSL-enabled domain.

To extend the period the browser remembers your site to one year

  1. In Zendesk Support, click the Admin icon (Settings icon) in the sidebar, select Settings > Security, then click the SSL tab at the top of the Security page.
  2. Select the HSTS option to instruct browsers to remember the site for up to one year.
  3. Click Save.

After setting up a host-mapped, SSL-enabled domain, you can perform any of the following management tasks:

  • Reviewing the SSL status of a certificate
  • Replacing a certificate
  • Extending HTTP Strict Transport Security (HSTS) to one year

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.