How to set up SSL for a HubSpot website

Last updated: April 19, 2017

Available For:

Marketing: Basic, Pro, Enterprise
Sales: N/A
Add-Ons: Website

SSL (Secure Sockets Layer) is a security protocol that establishes an encrypted connection between the browser and a server. In addition to the extra security measure, SSL sites (sites accessed with an https protocol) may receive a positive rankings boost from search engines. The following article describes how to enable SSL on a HubSpot-hosted domain.

Shared SSL is included as part of the HubSpot Website add-on. Alternatively, dedicated SSL or custom third-party certificates can be purchased. If you're interested in these options, please contact your Customer Success Manager. You can also learn more here.

Instructions

The process for connecting a domain to HubSpot with SSL is very similar to the standard process for taking a domain live on HubSpot, with a few additonal steps. Follow these instruction to enable SSL on a HubSpot website.

Request SSL Access

SSL is included free of charge with the Website Add-On. The number of domains on which you can enable SSL depends on your subscription type: 

Basic - can enable SSL on one domain.
Professional - can enable SSL on four domains.
Enterprise - can enable SSL on eight domains.

If you do not meet the criteria for SSL, you can request access by contacting your Customer Success Manager. You'll be notified when you have access and you can then follow the steps in this article to set it up.

Navigate to Domain Manager

To access the Domain Manager, navigate to Content > Content Settings.

Navigate to Content Settings

Click Domain Manager from the Content Optimization System Tools section of the sidebar navigation.

Domain Manager

Add the domain that you would like to connect

Click Connect another HubSpot COS domain.

Connect-Another-Domain.png

Enter the subdomain that you would like to connect to HubSpot. For each secure domain you connect, a separate SSL provisioning process is required. So if you add three domains, that will require three separate provisioning processes. 


Please note that SSL support for apex domains (i.e. http://example.com) is not supported by HubSpot. Any domains connected to HubSpot must include a subdomain, such as www. or blog.
Domain-to-connect.png

Choose content types

Choose the content types that you will be hosting on this secure domain. Alternatively, you can choose to redirect this domain to another connected domain. Please note that, depending on which subscription level of HubSpot you have purchased, there are limitations to the amount of subdomains on which you can host your content.

Content-to-connect.png
To prevent any downtime while setting up SSL, we highly recommend connecting your domain to HubSpot first.

Enable SSL option

Under the SSL column, click the Enable SSL link for your domain. Please note that you will only see this option if you have the Website add-on or have purchased standalone SSL.

HubSpot Help article screenshot

Confirm enable SSL

You will be prompted to begin the provisioning process. SSL provisioning requires the generation of a certificate as well as verification of domain ownership. If you are ready to begin the provisioning process, click Enable SSL.

Enable-SSL-Confirmation

You should see a confirmation prompt that the provisioning process is in progress. HubSpot will also send you a confirmation email that the process has been started. 

SSL-2-step-verification.png
PLEASE NOTE: If you are enabling SSL on a domain that is already connected to your HubSpot COS website, you will not need to go through the email validation process (as indicated in the screenshot above). Once the progress tracker at the top of the Domain Manager indicates that you can update your CNAME, you can skip steps 4-7 of this article and continue with step 8. Click here to skip straight to step 8: "Copy SSL CNAME."

Validate your domain

An email will be sent to all administrators in your account with next steps. After adding the domain, you have 7 days to validate your domain to prove ownership to the certificate authority. You should see an option to validate your domain in the progress tracker at the top of Domain Manager.

Next, you'll want to setup a redirect link to validate your domain.

Redirect

To validate your domain using a redirect link, you will need to copy the first URL that HubSpot lists and redirect it to the second URL that HubSpot lists. 

Depending on the CMS that your current site uses, the process for setting up the redirect will vary. For example, if your site is built on Wordpress, you can use one of Wordpress's redirect plugins to create the redirect from the source URL to the destination URL. 

Once the redirect has been set up, HubSpot will email you, when the certificate authority has verified your identity by testing the redirect. This verification can take up to 48 hours from when the redirect is implemented.

Return to Domain Manager

Once you have verified your domain with the certificate authority (you will receive a confirmation email from HubSpot), navigate back to Domain Manager. You should see a notice that the progress tracker toward the top is now telling you to update your the CNAME record for your certified domain. Click Update CNAME to move forward in this process.

Copy SSL CNAME

Copy the CNAME. CNAMEs for SSL domains include the word "secure".

Update CNAME within your nameserver host

Log in to your nameserver host, access the DNS zone file, and edit the CNAME record for the subdomain that you are connecting to HubSpot. You can learn more about this process here, or you can read instructions on updating DNS for various popular registrars

If you are hosting your entire website with HubSpot, you will need to set up a 301 redirect from the non-www domain to the www subdomain. If your DNS provider does not provide a 301 redirect, please reach out to our Support team and they can help you with a solution.

SSL-DNS.png
After your CNAME is fully propagating, it may take a few hours for your domain to resolve over HTTPS. This is normal - there will be no downtime.

Verify domain is connected

Return to Domain Manager within 24-48 hours once the CNAME update has propagated. You should see a confirmation message that SSL has been successfully configured for that domain, as well as SSL Enabled next to the domain. You can also check the propagation of your CNAME update by using an external tool like whatsmydns.net.

Review your site for any mixed-content warnings. If your site is loading any assets from external non-secure domains, these resources may be blocked by the browser. You can learn more about resolving mixed-content warnings, here.

Please note that continuing to the next step in this process before your new CNAME has fully propagated could result in your website visitors seeing a security warning in some browsers.

Require HTTPS

It is initally recommended that you leave the Require HTTPS option turned offAfter connecting and testing your SSL domain, validating that the propagation of CNAME changes have completed, and resolving any mixed-content issues, you should then enable Require HTTPS.

To turn on the Require HTTPS option, click Edit to the right of your SSL-enabled domain, check the box for Require HTTPS, and click Save changes. 

The Require HTTPS setting ensures that your site can only be accessed using the HTTPS protocol. HubSpot automatically redirects any traffic made over insecure HTTP connections to HTTPS.

Require HTTPS

Previous article:

Measuring Your Performance Project

Next article: