SSL, or Secure Sockets Layer, is a technology that encrypts the connection between a visitor’s browser and your website. Note: While SSL is the term most often used to describe this encryption, SSL has actually been superseded by a newer technology called TLS (Transport Layer Security). Though most people/companies, including HubSpot, still call it SSL, TLS is what's actually used to encrypt secure content on the COS.
An SSL certificate is required to create this secure connection. Simply put, this certificate is two things:
- It’s a document your web server shows to your visitors’ browsers to prove that they’re really on the site they think they are
- It contains a key used to encrypt traffic between your visitors and your web server so no one can eavesdrop on them
These certificates are usually issued by organizations called Certificate Authorities, or CAs. Your visitors’ computers know that certificates issued by major CAs are trustworthy. Often, one of the more frustrating parts of supporting SSL on your web server involves dealing with a CA and proving to them that you are the owner of your web site. Without this proof, a CA can’t issue you a certificate.
Typically, when you ask a CA to issue you a certificate, you will be prompted to answer a number of questions from the Certificate Authority about the identity of your website and your company. When you enable SSL on HubSpot, most of this is taken care of for you.
If your domain is already connected to HubSpot and has the correct CNAME, you won’t need to do anything to validate your domain.
If your domain is not currently connected to HubSpot, you can prove to our CA you own your domain by making a small change to your existing website. This can be done one of two ways:1. Create a Redirect link on the domain to be secured (recommended)
- Once SSL is enabled, in-app and emailed instructions will appear directing you to add a permanent (301) redirect for a new page on your domain (something like http://www.yourdomain.com/.well-known/acme-challenge/JvAm_OfFQLjlmatChxSw) to a “challenge URL” like http://validate.hubspot.net/.well-known/acme-challenge/JvAm_OfFQLjlmatChxSw. This redirect will be done in your existing CMS or DNS provider.
- With this option, you must create a completely new page at a location similar to the above URL with nothing else but a long alphanumeric challenge token on the page.
Within a few hours, the Certificate Authority will verify and confirm you own the domain by finding the challenge tokens through either of the above methods. Then, the provisioning process continues and a HubSpot secure CNAME is generated just for you to point your domain to.