Certificates

GjirafaTech Certificate Manager handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your websites and applications. It provides all this throught Let's Encrypt. You can provide certificates for your integrated CDN services either by issuing them directly through GjirafaTech or by importing third-party certificates into the GjirafaTech Certificate management system. Gjirafa certificates can secure singular domain names, multiple specific domain names, wildcard domains, or combinations of these. GjirafaTech wildcard certificates can protect an unlimited number of subdomains.

Steps to follow when Requesting a Certificate

The section below summarizes the process of requesting a certificate.

To request a certificate:

1. Sign into GjirafaTech Captain and get to the SSL Certificates under the Security section.
2. Choose Request a certificate.
3. On the Request certificate page, type your domain name. You can use a fully qualified domain name (FQDN), such as www.example.com, or a bare or apex domain name such as example.com. You can also use an asteriks (*) as a wild card in the leftmost position to protect several site names in the same domain. For example, *.example.com protects corp.example.com and images.example.com. The wild-card name will appear in the Subject field in the Subject Alternative Name extension of the certificate.

   Note

   • When you request a wild-card certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, *.example.com can protect login.example.com, and test.example.com, but it cannot protect test.login.example.com. Also note that *.example.com protects only the subdomains of example.com, it does not protect the bare or apex domain (example.com). To protect both, see the next step.

4. To add another name, choose Add another name to this certificate and type the name in the text box. This is useful for protecting both a bare or apex domain (such as example.com) and its subdomains such as *.example.com
5. On the select validation method, for now only DNS validation is available. Before Let's Encrypt issues a certificate, it validates that you own or control the domain names in your certificate request. If you use DNS validation, you simply add a TXT record provided by Let's Encrypt to your DNS configuration. For more information about DNS validation, see below: DNS validation.
6. For the certificate scope select either project or organization. For project certificates access is provided only to the given project, whereas for organization certificates access is provided to all the projects within the organization.
7. After requesting the certificate GjirafaTech will provide with a key and a value to add to your DNS Server.
8. After you have successfully added the TXT records to your DNS server, go to the certificate details page, and click on validate. This will ensure that GjirafaTech will validate that you control or own the domain name.

DNS validation

The Domain Name System (DNS) is a directory service for resources that are connected to a network. Your DNS provider maintains a database containing records that define your domain. When you choose DNS validation, GjirafaTech provides you with one or more TXT records that must be added to this database. These records contain a unique key-value pair that serves as proof that you control the domain.

For example, if you request a certificate for the example.com domain with www.example.com as an additional name, GjirafaTech creates two TXT records for you. Each record, created specifically for your domain and your account, contains a name and a value. The value is a unique key that GjirafaTech uses to automatically renew your certificate. The TXT records must be added to your DNS database only once. GjirafaTech automatically renews your certificate as long as the certificate is in use and your TXT record remains in place.

Without the need to repeat validation, you can request additional certificates for your fully qualified domain name (FQDN) for as long as the TXT record remains in place. That is, you can create replacement certificates that have the same domain name, or certificates that cover different subdomains. You can also replace a deleted certificate.

You can stop automatic renewal either by removing the certificate from the Captain service or by deleting the TXT record.

Steps to follow when Importing a Certificate

In addition to requesting SSL/TLS certificates provided by GjirafaTech, you can import certificates that you obtained outside of GjirafaTech. You might do this because you already have a certificate from a third-party issuer, or because you have application-specific requirements that are not met by GjirafaTech issued certificates.

After you import an SSL/TLS certificate obtained outside of GjirafaTech and have associated it with services integrated with GjirafaTech, you can reimport that certificate while preserving its associations with its UUID. Multiple certificates with the same domain name can be imported, but they must be imported one at a time.

After you import a certificate, you can use it with GjirafaTech CDN. The certificates that you import work the same as those provided by GjirafaTech with one important exception: GjirafaTech does not provide managed renewal for imported certificates.

Important

You are responsible for monitoring the expiration date of your imported certificates and for renewing them before they expire.

To renew an imported certificate, you can obtain a new certificate from your certificate issuer and then import it to GjirafaTech, or you can request a new certificate from GjirafaTech.