eCDN Automatic Certificates

Embedded CDN (eCDN) automated certificates allows you to serve storefront traffic over HTTPS without the hassle of managing certificates.

This guide covers how to enable it on new and existing hostnames as well as legacy eCDN zones using the CDN Zones API.

You can also manage automated certificates in Business Manager. For more information, see Add Managed SSL Certificates.

  1. Familiarize yourself with Authorization for Admin APIs
  2. You must have an Account Manager API Client with the scope sfcc.cdn-zones.rw.
  3. You must have an existing proxy zone associated with the hostname you'd like to use.
  4. You must have an proxy zone. Automatic certificates are not supported by legacy zones. If you have a legacy zone, first migrate to a proxy zone.
  5. You must know the zone ID of the proxy zone to be used with automatic certificates. To get this info, use getZonesInfo.

To use an automated certificate with an existing hostname that is associated with a custom certificate, lookup its certificate ID with getCertificates. Next, call updateCertificate:

This call replaces the existing custom certificate with an automated certificate without downtime.

Let's review the data provided in the request body.

The value of hostname is the domain you'd like to use with the automated certificate. certificateType must be set to automatic. Finally, certificateAuthority controls which certificate authority is used to issue the certificate. The value must be either lets_encrypt or google. The choice of providers is up to you.

To use an automated certificate with a new hostname, follow the instructions to configure eCDN. Rather than adding a certificate through Business Manager, call addCertificateForZone:

Automatic certificates are not available for legacy zones.

A zone is a legacy zone if it does not end in cc-ecdn.net.

For more information on proxy and legacy zones, review this article.

To use automatic certificates, you must first migrate to proxy zones.

To migrate to a proxy zone:

  1. Create the storefront zones with createStorefrontZone.
  2. Copy required settings from your legacy zones to the proxy zones.
  3. Request an automatic certificate with addCertificateForZone.
  4. Perform a DNS cutover by updating your storefront's DNS records.

First, create your storefront zone:

You must create the storefront zone for both your prd and dev organization IDs to continue to manage your zones in Business Manager.

Second, copy any required settings from your legacy zones using createFirewallRule, updateSpeedSettings and updateSecuritySettings.

Third, request an automatic certificate with addCertificateForZone:

Finally, perform a DNS cutover by updating your storefront's DNS records. Get the DNS CNAME record value from getZonesInfo's name property.

Refer to the following sections for additional use case information.

You can update an automatic certificate to a custom certificate using updateCertificate.

In a stacking configuration, certificate renewals require validation, just as when certificates are initially requested. When traffic is flowing through eCDN, validation is done using HTTP by serving records from the eCDN edge automatically without any user intervention.

In a stacking scenario where regular store traffic flows through the stacked config, some stacked service configurations don’t pass the validation records along correctly. In such a scenario, the initial validation method doesn’t matter. Salesforce doesn’t have control of your DNS and can’t automatically place a new TXT record. The only means of automated validation is through HTTP validation.

For HTTP validation to complete, eCDN must serve a validation value for a URI matching this pattern:

This check is completed over HTTP, not HTTPS. Confirm the URI is available over HTTP.

When using eCDN-managed certificates with a third-party CDN stacked on top, opting for TXT record validation is required every three months due to the certificate's automatic renewal cycle. Without domain control validation (DCV) delegation, TXT record updates are required every 2–3 months. DCV delegation automates the TXT verification process and is helpful if you're experiencing issues with HTTP validation. If needed, contact support for a DCV delegation UUID to include in your DNS record.

If you use certificate pinning, using automatic certificates is not possible as the certificate may be updated at any time.

There are two choices of validation for automated certificates: HTTP and DNS.

HTTP validation is used by default is the right choice in most cases.

Where a short issue delay is not acceptable, use DNS validation by providing the certificateValidation request property with a value of txt:

Use getCertificates's customHostnameVerificationTXTName and customHostnameVerificationTXTValue response properties to create your validation DNS TXT record.

You can change a certificate's validation type using updateCertificate.

  • Automated certificates are only available for proxy zones.
  • You can request up to five hundred automated certificates per zone.
  • Automated certificates are only available from Let's Encrypt and Google certificate authorities. To use a different certificate authority or a certificate with extended validation, use custom certificates.
  • When you use the CDN zones API to create a proxy zone for your development instance for sites already existing in a legacy zone, the proxy zone can only be managed via the API. The proxy zone is not visible in Business Manager due to this known issue.