Domains & URLs

Add a custom SSL certificate to your account

Last updated: September 1, 2020

Applies to:

Marketing Hub  Starter, Professional, Enterprise
CMS Hub  Professional, Enterprise

By default, when you connect a domain to your account, HubSpot automatically provisions a standard SAN SSL certificate through DigiCert. However, if you'd prefer to use a different provisioner or type of certificate, you can add custom SSL certificates to your account by purchasing the custom SSL add-on. 

Please note:
  • HubSpot is not a certificate authority and does not issue SSL certificates. To use a custom SSL certificate, you will need to purchase an SSL certificate from a certificate authority in addition to purchasing the custom SSL add-on.
  • Due to security reasons, you cannot use an existing custom SSL certificate. To use a custom SSL certificate for your HubSpot website, HubSpot must generate a new certificate signing request (CSR).

Types of custom SSL certificates

Before purchasing the HubSpot custom SSL certificate add-on, you'll need to decide what type of certificate you want, and the type of validation you require.

The type of custom SSL certificate you need depends on how many domains you'll be hosting on it:

  • Single hostname: can be applied to one subdomain. This would be a good option if you'll only be hosting content on www.yourwebsite.com.
  • Wildcard: can be applied to one domain with infinite subdomains. This would be a good option if you'll be hosting content on multiple subdomains, such as www.yourwebsite.comblog.yourwebsite.com, and info.yourwebsite.com
  • Multi-domain: can be applied to up to 99 domains. This would be a good option if you'll be hosting content on multiple domains, such as www.yourwebsite.com and www.newbrand.com.

Custom SSL certificates can use any of the following types of validation:

  • Domain validated (DV): the certificate authority (CA) validates the certificate using only the domain name. This is the most common type of validation, and is what HubSpot uses for its default SSL certificates.
  • Organization validated (OV): the CA validates the certificate by verifying the business that's requesting the certificate. This requires more validation than DV certificates, but provides another layer of trust.
  • Extended validation (EV): the CA validates the certificate through a series of additional documents and authorizations. This is the highest level of trust and requires several steps to complete validation. 

Learn more about the types of certificates and validations that are available. Once you've decided the type of certificate and validation, you can begin the process within HubSpot.

Please note: before you can add a certificate to a domain, you must first connect the domain to your account

Add a custom certificate

To add a custom certificate to your account:

  • In your HubSpot account, click the settings icon settings in the main navigation bar.
  • In the left sidebar menu, navigate to CMS > Domains & URLs.
  • Click the Custom SSL tab.
  • Click Add a Custom SSL certificate to add a custom certificate. If you haven't yet purchased the add-on, you'll be guided through the purchase process. 
  • In the dialog box, select the type of SSL certificate you'll be using. Then click Add certificate.

    ssl-select-certificate-type

You'll then be guided through the processes of entering the Certificate Signing Request (CSR) details.

Generate the CSR

CSR details must be completed in HubSpot before you can request the certificate from the certificate authority.

  • Click the Select a domain dropdown menu and select the domain that you'll be applying the certificate to. 

    custom-ssl-select-domain-menu
    • If you're adding a multi-domain certificate:
      • Click the Select a domain dropdown menu and select one of the domains you're applying the certificate to.
      • On the next screen, enter in any additional domains that you'll be applying the certificate to, separated by commas. You can include domains you've connected to HubSpot or any other external domains. You won't be able to add domains to this list later.
  • Click Next.
  • On the next screen, enter the details of the certificate by using the fields and dropdown menus
    • Click the Key length dropdown menu and select a key length, either 1024 or 2048 (recommended).
    • Click the Country code dropdown menu and select your country code. This will be the country code that appears on your certificate.
    • Enter your State or province name, City, Company name, and Department if applicable, in the relevant fields. These details will appear on your certificate. 

      custom-ssl-enter-csr-details
  • Click Next.
  • On the next screen, review the requirements for your custom SSL certificate:
    1. Private Keys and CSRs: In the third party SSL process, Cloudflare generates the private key and CSR used for the creation of the certificate. The private key is not shared with HubSpot or any third parties.
    2. CSR and Certificate Conveyance Process: Cloudflare, through HubSpot, extends the CSR in text format via email to the customer. In turn, the customer has the CSR signed by the certificate authority of choice. The custom returns the certificate (including the intermediate roots) to Cloudflare through HubSpot in text form via email. Cloudflare checks the certificate against the CSR, and then schedules the certificate for deployment onto the SSL network.
    3. CSR Submission as Customer's Agent: For third party certificates, Cloudflare or HubSpot do not submit the CSR directly to the customer's chosen certificate authority. Customers assume full responsibility for submitting the CSR to the certificate authority.
    4. Renewal: Prior to certificate expiration, HubSpot will notify the customer and extend a CSR to them for signing. The customer is responsible for the subsequent renewal of the third party certificate per the same provisioning process originally followed. 
    5. Proper Server Volume Licensing: Because Cloudflare maintains a large SSL delivery network comprised of thousands of servers, customers must procure their certificate per "unlimited" server volume terms. Failure to properly license a certificate for the Cloudflare server volume may constitute a license infringement with the issuing certificate authority, and serve as grounds for revocation of the certificate
  • After reviewing, click Next.

Download the CSR

With the CSR generated, you can now download it to send to your certificate authority of choice. 

  • Review the CSR details in the left pane to confirm that your details are correct.
  • Download your CSR:
    • To download the certificate request as a .csr file, click Download as .csr
    • To copy the certificate request as text, click Copy as Text.
  • Click Next.

custom-ssl-download-CSRWith your CSR generated, you can bring it to the certificate authority that you're purchasing the certificate from. The CA will then provide an SSL certificate which you can upload to HubSpot. It can take some time for the certificate to be provisioned, so you can continue the process later once your certificate is ready.

Click I'll continue later to exit the process. You can then later navigate back to this step once your certificate is ready.

Upload certificate

Once the certificate authority provides you with a certificate, you can upload it to HubSpot, either as a .crt file or as plain text.

If you previously exited this setup process while waiting for your certificate, navigate back to the upload step:
  • In your HubSpot account, click the settings icon settings in the main navigation bar.
  • In the left sidebar menu, navigate to CMS > Domains & URLs.
  • Click the Custom SSL tab.
  • At the top of the page in the Custom SSL setup banner, click Continue

    custom-ssl-continue-process
  • Click I'm ready to upload.
  • Choose the format you'll be uploading your certificate in: 
    • If the certificate authority delivered your SSL certificate as a .crt file, select Upload as .crt. Drag and drop the .crt file or click browse files to upload the certificate, then click Upload.
    • If the certificate authority delivered your SSL certificate as text, select Paste as text. Paste the text into the text box, then click Upload.

      custom-ssl-upload-certificate

Review the certificate details

Review the certificate details to ensure that your information displays as expected. The CSR details card displays the details you submitted during the first part of this process in HubSpot. The Certificate details card displays the details of your uploaded SSL certificate. If you made any changes to the details upon submitting the CSR to your certificate authority, they'll display in the Certificate details card. 

custom-ssl-review

If the certificate details are correct:
  • Click Yes.
  • On the next screen, review your full certificate details, then click Submit
If you need to made changes to your certificate details:
  • Click No.
  • To upload a new certificate, select Upload a revised certificate. You'll need to work with the certificate authority to edit any incorrect details before you can upload to HubSpot. Click Next to navigate back to the Upload certificate step of the process.
  • To start over and generate a new CSR that you can bring to the certificate authority, click Generate a new CSR. Click Next to navigate back to the first step of the process.

Processing

After submitting your SSL certificate, you'll be brought to the Custom SSL section in the Domains & URLs settings page. A banner at the top of the section will indicate the status of your custom SSL activation.  Activation may take up to four hours to complete. 

custom-ssl-tab-pending

The Custom SSL table displays each certificate that's been added to your account, including:

  • Certificate: the common name domain of the certificate.
  • Expirationthe date that the certificate expires.
  • Type: the type of certificate (Single HostnameWildcard, or Multi-domain).
  • Status: the processing status of the certificate.
    • Pending: the certificate setup is still in progress.
    • Processing: the certificate has been uploaded and is processing.
    • Active: the certificate has been uploaded and is in use.
    • Expired: the certificate has expired and is no longer in use.
  • To view the details of a certificate, click Options next to the certificate, then select See details.
  • To delete a certificate, click Options next to the certificate, then select Delete. In the dialog box, enter the number, then click Delete.

Renew your SSL certificate

When a certificate is 60 days away from expiring, you can start the renewal process from within HubSpot. You'll also receive email notifications as the expiration date approaches, and the banner in the Custom SSL tab will display how many days are left before expiration.

custom-ssl-renew

  • In your HubSpot account, click the settings icon settings in the main navigation bar.
  • In the left sidebar menu, navigate to CMS > Domains & URLs.
  • Click the Custom SSL tab.
  • In the banner at the top of the page, click Renew.
  • Review your certificate details.
    • If you need to make any changes to the certificate, click Yes. You'll then be brought to the beginning of the custom SSL setup process where you can generate a new CSR.
    • If you don't need to make any changes, click No. You'll then be brought to the page where you can download your CSR. You can then send the new CSR to your certificate authority. Once they send you a new certificate, continue the upload process as above.

 

/cos-general/add-a-custom-ssl-certificate