How to request a certificate?
Case 1
If you have not launched a website yet, you may have received ACME Challenge CNAME from your Customer Technical Advisor (CTA). You only need an ACME challenge if you cannot immediately point your DNS to your production URL and need to get the SSL certificates created in advance.
Case 2
If your site is already live and/or you can point the URLs that will be used for your live site right away, you do not need to request an ACME CNAME. Once you add the URLs as necessary to your Adobe Commerce on cloud infrastructure site and point your DNS at Fastly, HTTP validation will work and either create your SSL certificate for the first time or update your certificate with additional URLs.
Can I use my own SSL/TLS certificate?
You can provide your own SSL/TLS certificate instead of using the Let’s Encrypt certificate provided by Adobe.
However, this process requires additional work to set up and maintain. You will first need to generate a Certificate Signing Request (CSR) for the website’s domain name (or common name) and provide it to your SSL vendor to provide an SSL certificate.
Once you have the SSL certificate, submit an Adobe Commerce Support ticket or work with your CTA to add custom-hosted certificates to your cloud environments.
- If the domains are no longer in use, they will be automatically purged from our system, and no further action is required.
- If you already own a certificate, upload it using an SFTP (SSH File Transfer Protocol) client to a web-inaccessible file location on your server and submit a support ticket letting them know the file path.
WARNINGThe files should be uploaded via SFTP to the server to a folder of your choice, e.g.,
var/ssl, /tmp/ssl, etc. - do not use any other methods like committing the files to your repository (which should only be done for immutable files that do not contain sensitive data.)The name of your certificate
The name of the SSL certificate only matters for the primary URL, and it is the primary hostname named by the first URL and must match to be validated and created. If you have a few URLs, they will be added as subject alternate name entries to the certificate. If you have several URLs pointing to one Adobe Commerce on cloud infrastructure site, you will only have one common name URL certification that will then have appended subject alternative names to secure your site with SSL.
What domain will be displayed in the Common Name field of the certificate?
The domain displayed on the certificate is just the first domain added to the TLS certificate, it populates the Common Name (CN) field, and browsers display this name first. The Subject Alternative Name (SAN) field contains all of the DNS names for the TLS certificate. There is no way to change or request the Common Name displayed.
Can I use wildcard TLS certificates?
Wildcard TLS certificates can only be used with your custom certificate and not with Adobe Commerce Let’s Encrypt certificates. As part of our TLS optimization, Adobe is ending support for wildcard TLS certificates. We are identifying and contacting merchants that use a wildcard certificate with Adobe’s Let’s Encrypt certificates and are configured in the Fastly console for Adobe Commerce. We are asking that these wildcard certificates be replaced with exact domains to ensure TLS coverage. To replace a wildcard TLS certificate, please visit the domain section of the Fastly plugin. From here, exact domains can be added, and the wildcard can be removed. Please note that DNS will need to point to Fastly for these new domains to route through the CDN. Once the domains are added and DNS is updated, a matching Let’s Encrypt certificate will be provisioned. If you don’t remove a domain that is pointing to Fastly using a wildcard, Adobe will delete the shared certificate. This may result in a site outage if you do not have the URL FQDN configured and the same URL FQDN set up in your DNS. You should therefore confirm that the URLs configured also have a one-to-one match in their DNS pointing to Fastly.