Add a custom SSL certificate to your account

When you connect a domain, HubSpot automatically provisions a standard SAN SSL certificate through Google Trust Services. If you prefer to use a different certificate authority or certificate type, buy the custom SSL add-on and add custom SSL certificates to your account. 

Before you get started

Before adding a custom SSL certificate, review the following requirements and considerations.

Understand requirements

• The custom SSL add-on must be bought before adding a certificate.
• HubSpot isn't a certificate authority and doesn't issue SSL certificates. Buy an SSL certificate separately from a certificate authority. 
• A new Certificate Signing Request (CSR) must be generated in HubSpot. For security reasons, existing custom SSL certificates can't be reused. 
• A domain must be connected to your account before adding a certificate.

Understand limitations & considerations

• Cloudflare generates the private key and CSR during setup. The private key is not shared with HubSpot or third parties.
• Customers are responsible for submitting the CSR to the certificate authority and completing validation. 
• Certificates must be licensed for unlimited server volume.
• Certificate activation can take up to four hours after submission. 

Types of custom SSL certificates

Before buying the HubSpot custom SSL certificate add-on, decide the proper certificate type and validation level.

Certificate types

The certificate type depends on the domains being secured:

• Single hostname: applies to one subdomain (e.g., www.yourwebsite.com).
• Wildcard: applies to one domain (e.g., yourwebsite.com) and unlimited subdomains (e.g., www, blog, info). 
• Multi-domain: applies to up to 99 domains (e.g., yourwebsite.com, yourblog.com, etc.). 

Validation types

• Domain validated (DV): the certificate authority (CA) validates the certificate using only the domain name. This is the most common type of validation, and is what HubSpot uses for its default SSL certificates.
• Organization validated (OV): the CA validates the certificate by verifying the business that's requesting the certificate. This requires more validation than DV certificates, but offers another layer of trust.
• Extended validation (EV): the CA validates the certificate through a series of additional documents and authorizations. This is the highest level of trust and requires several steps to complete validation. 

Learn more about the types of certificates and validations that are available. After selecting the certificate and validation type, continue with setup in HubSpot.

Add a custom certificate

The setup process includes generating a CSR, submitting it to the certificate authority, and uploading the issued certificate. 

1. In your HubSpot account, click the settings settings icon in the top navigation bar.
2. In the left sidebar menu, navigate to Content > Domains & URLs.
3. Click the Custom SSL tab.
4. Click Add a Custom SSL certificate to add a custom certificate. If you haven't yet purchased the add-on, you'll be guided through the purchase process. 
5. In the dialog box, select the type of SSL certificate you'll be using. Then click Add certificate.
   
   
   

Generate the CSR

Complete the CSR details in HubSpot before requesting the certificate from the certificate authority. 

1. Click the Select a domain dropdown menu and select a domain. For multi-domain certificates, add additional domains separated by commas.

2. Click Next.
3. Click the Key length dropdown menu and select a key length. It is recommended to select 1024 or 2048.
4. Click the Country code dropdown menu and select your country code. This will be the country code that appears on your certificate.
5. Enter your State or province name, City, Company name, and Department, in the relevant fields. These details will appear on your certificate. 

Please note: if your country does not use states or provinces, re-enter your city name in the State/Province field.

6. Review the requirements for your custom SSL certificate:
   
   • In the third party SSL process, Cloudflare generates the private key and CSR used for the creation of the certificate. The private key isn't shared with HubSpot or any third parties.
   • Customers assume full responsibility for submitting the CSR to the certificate authority.
   • Prior to certificate expiration, HubSpot will notify the customer and extend a CSR to them for signing. The customer is responsible for the subsequent renewal of the third party certificate per the same provisioning process originally followed. 
   • Customers must buy their certificate with unlimited server volume terms. Failure to properly license a certificate for Cloudflare's server volume may constitute license infringement with the issuing certificate authority and serve as grounds for revocation of the certificate
7. Click Next.

Download the CSR

After the CSR is generated, download it to send to your certificate authority. 

1. Review the CSR details.
2. To download the certificate request as a .csr file, click Download as .csr.
3. To copy the certificate request as text, click Copy as Text.
4. Submit the CSR to your certificate authority. It can take some time for the certificate to be provisioned. To exit and resume later, click I'll continue later.
5. After receiving the certificate, return to HubSpot to upload it.

Upload the certificate

After receiving the certificate from the certificate authority (CA), upload the file to HubSpot as a .crt file or as plain text. 

1. In your HubSpot account, click the settings settings icon in the top navigation bar.
2. In the left sidebar menu, navigate to Content > Domains & URLs.
3. Click the Custom SSL tab.
4. At the top of the page in the Custom SSL setup banner, click Continue. 
5. Click I'm ready to upload.
6. Select the upload format: 
   • Upload as .crt: select this option if the certificate authority has delivered your SSL certificate as a .crt file. 
   • Paste as text: select this option if the certificate authority has delivered your SSL certificate as text. 

Review the certificate details

Review the certificate details to ensure that your information displays as expected. The CSR details card displays the details you submitted during the first part of this process in HubSpot. The Certificate details card displays the details of your uploaded SSL certificate. If you changed the details when you sent the CSR to your certificate authority, they'll show on the Certificate details card. 

1. Click Yes.
2. On the next screen, review your full certificate details, then click Submit. 

If you need to make changes to your certificate details:

1. Click No.
2. To upload a new certificate, select Upload a revised certificate. You'll need to work with the certificate authority to edit any incorrect details before you can upload to HubSpot. Click Next to navigate back to the Upload certificate step of the process.
3. To start over and generate a new CSR that you can bring to the certificate authority, click Generate a new CSR. Click Next to navigate back to the first step of the process.

Processing

After submitting your SSL certificate, you'll be brought to the Custom SSL tab on the Domains & URLs settings page. A banner will indicate the status of your custom SSL activation at the top of the page. Activation may take up to four hours to complete. 

1. In your HubSpot account, click the settings settings icon in the top navigation bar.
2. In the left sidebar menu, navigate to Content > Domains & URLs.
3. Click the Custom SSL tab.
4. The Custom SSL table displays each certificate that's been added to your account, including:

   • Certificate: the common name domain of the certificate.

   • Expiration: the date that the certificate expires.

   • Type: the type of certificate (Single Hostname, Wildcard, or Multi-domain).

   • Status: the processing status of the certificate.

     • Pending: the certificate setup is still in progress.

     • Processing: the certificate has been uploaded and is processing.

     • Active: the certificate has been uploaded and is in use.

     • Expired: the certificate has expired and is no longer in use.

5. To view the details of a certificate, click Options next to the certificate, then select See details.
6. To delete a certificate, click Options next to the certificate, then select Delete. In the dialog box, enter the number, then click Delete.

Renew an SSL certificate

1. In your HubSpot account, click the settings settings icon in the top navigation bar.
2. In the left sidebar menu, navigate to Content > Domains & URLs.
3. Click the Custom SSL tab.
4. In the banner at the top of the page, click Renew.
5. Review your certificate details.
   • If you need to make any changes to the certificate, click Yes. You'll then be brought to the beginning of the custom SSL setup process where you can generate a new CSR.
   • If you don't need to make any changes, click No. You'll then be brought to the page where you can download your CSR. You can then send the new CSR to your certificate authority. Once they send you a new certificate, continue the upload process as above.