- Product: Cross-Product
- Relevant for Installation Type: Multi-Tenant Direct, Dedicated-Direct, Total Care
In order to use a private domain name on a hosted server, Ex Libris needs to upload a certificate to the hosted environment. This certificate needs to be issued to the private Domain Name Server (DNS) and signed by a recognized Certificate Authority (CA). At the present time, in order to obtain the signed certificate, ExLibris provides the customer with a Certificate Signing Request (CSR) and the customer returns a signed certificate to be uploaded.
The type of certificate that needs to be purchased varies by product, environment setup, and customer preference; if you are not certain what kind of certificate is required, please mention that when creating the case.
The CSR is mainly required for the initial setup of custom domains on Ex Libris hosted environments, for Renewal of existing setups you will be notified by Ex Libris that your certificate is about to expire. The notification will include the necessary steps required. Please refer to the RENEWAL section below.
What is a CSR?
A CSR is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate. The CSR is produced from a public key together with identifying information from the applicant and is derived from a generated private key. The private key is not moved from the hosted environment and remains protected at all times.
Certificate production process:
- A request is received by ExLibris to use a custom domain name on a hosted environment via SSL.
- ExLibris staff will request identifying information from the customer to be used in the creation of the CSR.
- ExLibris will generate the CSR and provide it to the customer.
- The customer will pass the CSR to a certificate authority such as GoDaddy, GeoTrust, etc., with a request to receive a signed certificate.
Please verify that the certificate has SHA2 encryption or higher.
- The Customer will then pass the signed certificate to ExLibris to be uploaded to the hosted environment.
- Customer need to add the DNS entry of the new host name as a CNAME.
The "Time to Live" (TTL) should be configured to no more than 5 minutes
Details required to generate the CSR
To generate the CSR, ExLibris will require the following information from the customer:
- Common Name: The fully-qualified domain name (FQDN), host name, or URL to apply to the certificate. (This URL should have a CNAME pointing to the environment’s domain name)
- Organization: The name under which the customer’s organization is legally registered
- Division: To differentiate between divisions within an organization
- Locality: Name of the city in which the customer’s organization is registered
- State or Province: Name of state or province where the customer’s organization is registered (Use FULL NAME - For example: Pennsylvania instead of PA)
- Country: The two-letter country code for the country in which the customer’s organization is registered
- Email Address: An email address to contact the organization. Usually the email address of the certificate administrator or IT department.
Apache Tomcat is the server being used.
In order to renew an existing certificate that is about to expire, the customer should contact the Certificate Authority (CA) who signed the original certificate and request a renewal of the certificate without issuing a new private key, in this procedure no CSR is required.
If a certificate renewal is not possible and a new private key must be issued, then the procedure should be the same as creating a new certificate.
Important: Certain Certificate Authorities upon creation of a new private key will revoke the old certificate within a short period of time, please verify the CA’s policy before renewing the private key and make sure to complete the procedure within the revocation timeframe to avoid any service interruptions.
Ex Libris will notify customers with hosted certificates when their certificate is about to expire, please make sure when registering the certificate to provide a consistent email contact rather than a private one. (i.e., ITadmin@institute.com NOT firstname.lastname@example.org)
Please make sure this email contact is registered in Salesforce and subscribed to receive email notifications for the relevant product. For more information about subscribing to product and hosting updates please follow this link.
- Article last edited: 10-July-2017