Importing an External Certificate
This is the process that is used to import an external certificate. For more general information, see the following resources:
- Certificate format, see https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html
- Certificate process: https://aws.amazon.com/blogs/security/how-to-import-pfx-formatted-certificates-into-aws-certificate-manager-using-openssl/
Interact only accepts a valid PFX-encoded certificate with the following properties:
- A password for the PFX file
- Chain certificate information
- a valid and not expired certificate
- Signature algorithm of SHA256WITHRSA
See below for the process used to import your existing certificate:
Steps 1-3: You decide the Vanity URL, create a PFX file as defined above, open a ticket with Interact Technical Support and provide the file and password.
Step 4: Interact will complete the certificate import and send you the CNAME record for your site. This CNAME record will be a permanent CNAME that is used in order to route traffic from the Vanity URL to your Interact site.
Step 5: You will need to add the CNAME information from Interact to your domain in a similar process to how DNS information was added. This is provider-specific, so you will need to refer to documentation from your domain provider for these details. If you complete this step, you will be able to run the command nslookup {yourcustomurl} and see the Aliases area which shows your Vanity URL on the first row, the CNAME record on the second row and a load balancer reference in the third row. Having these records generally indicates that the Vanity URL is working. Next, you can test the URL by going to https://{yourcustomurl}/local-login and see if you get a login page.
You may also need to remove other Apex (A) records for this Vanity URL with the DNS provider.
Also, if applicable, you may need to go into Interact at Application Settings | Control Panel | Manage Security | Manage SAML and setup SAML for the new URL. See here for documentation.
Troubleshooting
-
Many of our customers have an existing URL that they want to repurpose for use with Interact; however, that URL is still being used for their old Intranet site. You should still complete Steps 1-4 above so that all you need to perform is the last step of the process. Importing a certificate can take several days for Interact to complete, as it requires admin-level support. By completing Steps 1-4 early in your implementation process, you avoid potential delays at the time of Go-Live.
-
If you created content within Interact before switching to the Vanity URL, you might have hard-coded links (aka Absolute links) pointing to your reserved URL. This becomes a problem because user sessions will be setup against the Vanity URL and the link to the reserved URL will force the user to login again. If you run into this situation, you will need to republish the content with these links. If you have a large number of links with absolute links to the reserved URL, then you can open a ticket with Technical Support who can run a script to correct this.
-
If you are going to have a Vanity URL, it is best to wait to setup SSO until after the Vanity URL is working. Otherwise, you will have to set SSO up with the reserved URL and again with the Vanity URL.
-
Your certificate will eventually expire. If you are leveraging your existing certificate (i.e. the process above), you are responsible for monitoring the expiration dates of certificates and getting updated PFX files to Interact well before the expiration date. It typically takes 2-5 days to complete the import of a certificate including renewal certificates.
-
If you are repurposing an existing Vanity URL that is being used by another application, you make have conflicts with existing page history and cookies related to SSO or how the application functions. We've seen this issue manifest itself in a situation where pages continually auto-refresh or don't display properly. If those issues go away with Incognito / Private mode in your browser, you might need to clear all history for that Vanity URL in the browser.
-
Customers are responsible for generating the Certificate Signing Requests (CSR) on any machine with the ability to generate the CSR and submitting it to the appropriate certificate vendor to generate the SSL. This is not something that Interact can perform on behalf of a customer.
Updated over 2 years ago