Become a HubSpot power user — join us for HubSpot Training Day 2017.

How to set up SSL for a HubSpot website

Last updated: September 11, 2017

Available For:

Marketing: Basic, Pro, Enterprise
Sales: N/A
Add-Ons: Website

SSL (Secure Sockets Layer) is a security protocol that establishes an encrypted connection between the browser and a server. In addition to the extra security measure, SSL sites (sites accessed with an https protocol) may receive a positive rankings boost from search engines. The following article describes how to enable SSL on a HubSpot-hosted domain.

Shared SSL is included as part of the HubSpot Website add-on. Alternatively, dedicated SSL or custom third-party certificates can be purchased. If you're interested in these options, please contact your Customer Success Manager. You can also learn more here.


The process for connecting a domain to HubSpot with SSL is very similar to the standard process for taking a domain live on HubSpot, with a few additonal steps. Follow these instruction to enable SSL on a HubSpot website.

Request SSL access

SSL is included free of charge with the website add-on. The number of domains on which you can enable SSL depends on your subscription type: 

  • Basic - can enable SSL on one domain
  • Professional - can enable SSL on four domains
  • Enterprise - can enable SSL on eight domains

If you do not meet the criteria for SSL, you can request access by contacting your Customer Success Manager. You'll be notified when you have access and you can then follow the steps in this article to set it up.

Navigate to your domain manager

To access your domain manager, navigate to Content > Content Settings.

Navigate to Content Settings

Click Domain Manager from the Content Optimization System Tools section of the sidebar navigation.

Domain Manager

Add the domain that you would like to connect

Under HubSpot COS Domains, click Connect domain.


Enter the subdomain that you would like to connect to HubSpot. For each secure domain you connect, a separate SSL provisioning process is required. So if you add three domains, that will require three separate provisioning processes. 

Please note that SSL support for apex domains (i.e. is not supported by HubSpot. Any domains connected to HubSpot must include a subdomain, such as www. or blog.

Choose content types

Choose the content types that you will be hosting on this secure domain. Alternatively, you can choose to redirect this domain to another connected domain. Please note that, depending on which subscription level of HubSpot you have purchased, there are limitations to the amount of subdomains on which you can host your content.

To prevent any downtime while setting up SSL, we highly recommend connecting your domain to HubSpot first.

Enable SSL option

Under the SSL column, click the Enable SSL link for your domain. Please note that you will only see this option if you have the website add-on or have purchased standalone SSL.

HubSpot Help article screenshot

Confirm enable SSL

You will be prompted to begin the provisioning process. SSL provisioning requires the generation of a certificate as well as verification of domain ownership. If you are ready to begin the provisioning process, click Yes.


You'll now see a confirmation that the provisioning process is in progress. Click Email me when it's ready to be notified when your secure CNAME has been prepared. 


Return to your domain manager

You will receive an email letting you know that a CNAME has been created for your domain. Once you receive this email and validate your domain if necessary (see note below), navigate back to your domain manager. Click Update CNAME next to your domain to move forward in this process.

Please note: if you are adding a domain to HubSpot that was previously hosted elsewhere with SSL enabled, you will need to validate your domain. Follow the process here before completing this step. 


In the dialog box, you will see the CNAME that has been generated for your domain. Click Copy to copy the CNAME value to your clipboard. 

Update CNAME within your nameserver host

Log in to your nameserver host, access the DNS zone file, and edit the CNAME record for the subdomain that you are connecting to HubSpot. You can learn more about this process here, or you can read instructions on updating DNS for various popular registrars

If you are hosting your entire website with HubSpot, you will need to set up a 301 redirect from the non-www domain to the www subdomain. If your DNS provider does not provide a 301 redirect, please reach out to our Support team, and they can help you with a solution.

After your CNAME is fully propagating, it may take a few hours for your domain to resolve over HTTPS. This is normal and there will be no downtime.

Verify domain is connected

Return to Domain Manager within 24-48 hours once the CNAME update has propagated. You should see a confirmation message that SSL has been successfully configured for that domain, as well as SSL Enabled next to the domain. You can also check the propagation of your CNAME update by using an external tool like

Review your site for any mixed-content warnings. If your site is loading any assets from external non-secure domains, these resources may be blocked by the browser. You can learn more about resolving mixed-content warnings here.

Please note that continuing to the next step in this process before your new CNAME has fully propagated could result in your website visitors seeing a security warning in some browsers.

Require HTTPS

It is initially recommended that you leave the Require HTTPS option turned offAfter connecting and testing your SSL domain, validating that the propagation of CNAME changes have completed, and resolving any mixed-content issues, you should then enable Require HTTPS.

To turn on the Require HTTPS option, click Edit to the right of your SSL-enabled domain, check the box for Require HTTPS, and click Save changes. 

The Require HTTPS setting ensures that your site can only be accessed using the HTTPS protocol. HubSpot automatically redirects any traffic made over insecure HTTP connections to HTTPS.

Require HTTPS

Was this article helpful?

Previous article:

Measuring Your Performance Project

Next article: