Multi Brand & SSL
We are in the middle of creating a second Brand (importing from an existing Zendesk instance), and I am trying to wrap my head around the different options regarding SSL. The two Brands will use entirely separate domains (i.e. one is not a sub-domain of the other).
It looks like our options are:
- Regenerate the certificate to include both domains
- Leave the certificate as is, meaning hosted SSL won't work on the new Brand
For the first option, I'm pretty sure that regenerating my certificate will invalidate the old certificate, meaning that I will have to update the certificate everywhere it is used (which is a lot of places!). That's not mentioned in the multibrand document:
https://support.zendesk.com/hc/en-us/articles/204108983
I know it's not really something you are obliged to give instructions on as people should be expected to manage their own certificates, but it's probably going to help people not make mistakes.
For the second option, I am assuming the host mapping will work, from this statement in the same article:
"If you do not regenerate your certificate, host mapping will work, but the brand will not be protected."
As there is no SSL involved with this method, it will essentially be a plain CNAME redirect and the user will not receive any warnings.
Can someone confirm that I have all of that right? Just want to make sure I get what I am expecting when I try to finalize the migration.
-
Hey, Peter -
You have this pretty much right on. Regenerating the cert has consequences, certainly, and it's not optimal, but it was the best option we could support on short notice. We're working on another, better solution, but I can't get too detailed about that yet.
Option two won't involve any warnings because there won't be a certificate failure. It would be the same as being redirected to any http page. There may be certain security settings on different browsers that recognize that kind of thing, but I'm not personally aware of them.
-
Is a better solution coming soon? We support 2 very different products via the same team and having a multi-site cert host the support portals of both is highly undesirable since it shows they are connected.
-
We recently released new SSL certificate functionality which may help here. You can now obtain a free cert from Zendesk using Zendesk-provisioned SSL, which will automatically cover brands as they are added. You might consider switching to this new feature. It would require a one-time transition but then new brands would be included.
-
Wait a minute... so I just spent $500/month extra to "upgrade" for multi-brand support and you can't even support separate SSL certificates per brand?
This feature is useless without that. When will it be available? This is really unacceptable.
-
Hey Jim! Sorry for the delayed response here!
I see you were able to get assistance with this in a ticket; I'm going to paste Garrick's response here in case anyone else runs into the same issue.
"While we only support the upload of a single SSL certificate to cover all your brands, this can be accomplished by listing each brand's hostmapped URL (e.g. support.yourdomain.com) in the Subject Alternative Name of the certificate, and we support both IP-based and SNI-based certificates for upload.
You're certainly welcome to request and upload your own certificate, but there's an excellent free option within Zendesk using our Zendesk-provisioned SSL certificate. To set up you'd simply:- browse to https://yourdomain.zendesk.com/agent/admin/security
- click 'replace certificate'
- check the checkbox to enable Zendesk-provisioned SSL
- Click 'Save'
This will instantly request and issue an SNI-based SSL certificate from the Let's Encrypt certificate authority which will cover all your brands and will be served immediately. It's completely free, covers all your brands, and Zendesk will automatically renew it on your behalf upon expiration, so that's one less thing you have to remember to maintain."
Please sign in to leave a comment.
5 Comments