Uberflip provides SSL certificates for hub domains through either Uberflip-managed or customer-managed methods. Uberflip-managed SSL uses free certificates from Let's Encrypt that are automated and simple to apply, while customer-managed SSL allows clients to use their own certificates which require sending PEM files to Uberflip for manual renewal. To identify the SSL method, check the domain settings page to see if the "Allow LE Cert" button is present or contact Uberflip support.
2. Agenda
Today we will look at:
• What is SSL
How the hub domain utilizes the SSL
• Uberflip SSL Certs VS Customer Managed SSL Certs
Process of applying the UF LE SSL Cert
Process of applying Customer Managed SSL Certs
• How to verify which cert a domain is using
3. What is SSL
• SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer
Security), are protocols for establishing authenticated and encrypted
links between a web server and a web browser. Companies and
organizations need to add SSL certificates to their websites to secure
online transactions and keep customer information private and
secure.
• At Uberflip we apply SSL to the hub domains to ensure the domain
URL and all webpages on the hub are secure.
5. Uberflip SSL Certs
• To set up SSL for Hubs, we use certificates from Let's Encrypt.
Benefits to clients:
• Free: Unlike traditional CAs, Let's Encrypt provides and validates
certificates at no cost
• Automated: The entire enrollment process for certificates is automated, as
is renewal of the certificate upon expiration
• Simple: With Let's Encrypt certificates, you don't need to worry about
payment, installation, or keeping track of expiring certificates
6. How to Apply the LE Cert
To apply the LE cert, click on your name in the top right corner of the
Uberflip app, then go to Account Settings > Services > Domains
Find the domain in the list, then click on the Allow LE Cert button that
appears beside it.
*Note: it takes overnight to apply
7. Customer Managed Certs
• Opts to using their own self-managed cert
• When cert expires, client is responsible for sending us a new cert to
renew, client required to send a PEM file to add the new cert on the
Uberflip end
-The PEM file should be sent to us securely using https://securesha.re/
• Major organizations tend to manage their own certs for security
reasons – they have dedicated security teams to handle these
requests
8. How to Apply the Customer Managed Cert
• When a customer provides us with a PEM file we file an OPs ticket to
inform the Infrastructure team with the file and password to manually
renew the cert.
Example of an Ops ticket:
• https://uberflip.atlassian.net/browse/OPS-12178
• This process can take up to 5 business days!
There are two ways to enable SSL on a UF hub domain
1. UF SSL certs
2. Customer managed SSL certs
Both are equally accepted, however we likely want to go the UF managed route
Let's Encrypt is a new kind of Certificate Authority run by the Internet Security Research Group, a public-benefit corporation backed by a number of major organizations, including Mozilla, Cisco, Shopify, the Ford Foundation, and the EFF.
Their mission is to encourage the wider use of HTTPS by making the entire setup and maintenance process much easier.
If a client opted to use a self-managed certificate with their Hub (i.e. if they sent us a PEM file) and when their current certificate expires, they will need to send us a new PEM file.
In addition, we have also provisioned a Let's Encrypt certificate for them as a fallback. If their self-managed certificate expires and they do not send us a new PEM file in time, we can transition their Hub onto the Let's Encrypt certificate so that it remains secure.
CSR!!
Customer managed to UF managed:
Allow LE cert for the domain…wait overnight
File an OPS ticket to remove the existing customer managed cert
UF managed to Customer managed:
Request for PEM file and password (remember to request using a secure link)
File and OPS ticket to apply customer provided cert and remove LE cert (5 business days)