Shared SSL is included as part of the HubSpot Website add-on. Alternatively, dedicated SSL or custom third-party certificates can be purchased. If you're interested in these options, please contact your Customer Success Manager. You can also learn more here.
InstructionsThe process for connecting a domain to HubSpot with SSL is very similar to the standard process for taking a domain live on HubSpot, with a few additonal steps. Follow these instruction to enable SSL on a HubSpot website.
Request SSL Access
SSL is included free of charge with the Website Add-On. The number of domains on which you can enable SSL depends on your subscription type:
Basic - can enable SSL on one domain.
Professional - can enable SSL on four domains.
Enterprise - can enable SSL on eight domains.
If you do not meet the criteria for SSL, you can request access by contacting your Customer Success Manager. You'll be notified when you have access and you can then follow the steps in this article to set it up.
Navigate to Domain Manager
To access the Domain Manager, navigate to Content > Content Settings.
Click Domain Manager from the Content Optimization System Tools section of the sidebar navigation.
Add the domain that you would like to connect
Click Connect another HubSpot COS domain.
Enter the subdomain that you would like to connect to HubSpot. For each secure domain you connect, a separate SSL provisioning process is required. So if you add three domains, that will require three separate provisioning processes.
Choose content types
Choose the content types that you will be hosting on this secure domain. Alternatively, you can choose to redirect this domain to another connected domain. Please note that, depending on which subscription level of HubSpot you have purchased, there are limitations to the amount of subdomains on which you can host your content.
Enable SSL option
Under the SSL column, click the Enable SSL link for your domain. Please note that you will only see this option if you have the Website add-on or have purchased standalone SSL.
Confirm enable SSL
You will be prompted to begin the provisioning process. SSL provisioning requires the generation of a certificate as well as verification of domain ownership. If you are ready to begin the provisioning process, click Enable SSL.
You should see a confirmation prompt that the provisioning process is in progress. HubSpot will also send you a confirmation email that the process has been started.
Validate your domain
An email will be sent to all administrators in your account with next steps. After adding the domain, you have 7 days to validate your domain to prove ownership to the certificate authority. You should see an option to validate your domain in the progress tracker at the top of Domain Manager.
Next, you'll want to setup a redirect link to validate your domain.
To validate your domain using a redirect link, you will need to copy the first URL that HubSpot lists and redirect it to the second URL that HubSpot lists.
Depending on the CMS that your current site uses, the process for setting up the redirect will vary. For example, if your site is built on Wordpress, you can use one of Wordpress's redirect plugins to create the redirect from the source URL to the destination URL.
Once the redirect has been set up, HubSpot will email you, when the certificate authority has verified your identity by testing the redirect. This verification can take up to 48 hours from when the redirect is implemented.
Return to Domain Manager
Once you have verified your domain with the certificate authority (you will receive a confirmation email from HubSpot), navigate back to Domain Manager. You should see a notice that the progress tracker toward the top is now telling you to update your the CNAME record for your certified domain. Click Update CNAME to move forward in this process.
Copy SSL CNAME
Copy the CNAME. CNAMEs for SSL domains include the word "secure".
Update CNAME within your nameserver host
Log in to your nameserver host, access the DNS zone file, and edit the CNAME record for the subdomain that you are connecting to HubSpot. You can learn more about this process here, or you can read instructions on updating DNS for various popular registrars.
If you are hosting your entire website with HubSpot, you will need to set up a 301 redirect from the non-www domain to the www subdomain. If your DNS provider does not provide a 301 redirect, please reach out to our Support team and they can help you with a solution.
Verify domain is connected
Return to Domain Manager within 24-48 hours once the CNAME update has propagated. You should see a confirmation message that SSL has been successfully configured for that domain, as well as SSL Enabled next to the domain. You can also check the propagation of your CNAME update by using an external tool like whatsmydns.net.
Review your site for any mixed-content warnings. If your site is loading any assets from external non-secure domains, these resources may be blocked by the browser. You can learn more about resolving mixed-content warnings, here.
Please note that continuing to the next step in this process before your new CNAME has fully propagated could result in your website visitors seeing a security warning in some browsers.
It is initally recommended that you leave the Require HTTPS option turned off. After connecting and testing your SSL domain, validating that the propagation of CNAME changes have completed, and resolving any mixed-content issues, you should then enable Require HTTPS.
To turn on the Require HTTPS option, click Edit to the right of your SSL-enabled domain, check the box for Require HTTPS, and click Save changes.
The Require HTTPS setting ensures that your site can only be accessed using the HTTPS protocol. HubSpot automatically redirects any traffic made over insecure HTTP connections to HTTPS.