SSL/TLS certificates
To facilitate URL redirects over HTTPS, you must create an SSL/TLS certificate for the relevant source domain to ensure a secure connection that prevents unauthorized third parties from intercepting data in transit.
The HTTPS protocol secures the data transfer through SSL or TLS encryption. SSL/TLS certificates employed by a web server or domain name contain public encryption keys that secure the connection to prevent unauthorized third parties from intercepting data while it is in transit and to validate the website's authenticity. Refer to HTTP vs. HTTPS for details.
When creating a redirect, you have the option to enable HTTPS. If enabled, you are presented with a second option to enforce HTTPS. Upon enabling HTTPS, the NS1 Connect platform automatically generates an SSL/TLS certificate corresponding to the domain of the source URL.
The NS1 Connect platform leverages the Let’s Encrypt service to generate SSL/TLS certificates, using the DNS01 challenge as validation. When a new certificate is generated (automatically or manually), the platform creates a TXT record for the corresponding domain with information about the SSL/TLS certificate.
Certificate rate limit
There are two limits placed on the rate of certificates generated within your NS1 Connect account:
- Per the Let’s Encrypt service, you can only generate up to 50 certificates for an individual domain per week. If certificate generation fails for this reason, you must delete the ticket and try again.
- Per the NS1 Connect platform, you can only generate 10 certificates for any domain per hour. If certificate generation fails for this reason, the NS1 Connect platform will add the certificate to a queue and complete the operation as soon as possible.
We recommend using wildcards in the source URL and certificates to facilitate communication over HTTPS for multiple subdomains, if applicable. This helps circumvent the rate limit mentioned above. For example, you can create a source URL and wildcard certificate for the domain *.example.com to cover all subdomains under example.com.
The table below demonstrates the certificate domain you would use to accommodate each source URL or group of source URLs in the left column. The middle column demonstrates the domain you would use if creating a single-domain certificate, whereas the right-most column demonstrates the domain you would use if creating a wildcard certificate.
| Source URL(s) | Domain(s) to use for single-domain certificate | Domain to use for wildcard certificate |
|---|---|---|
| example.com/* | example.com | n/a |
| foo.example.com/about | foo.example.com | *.example.com |
| *.example.com | n/a | *.example.com |
| a.example.com/foo | a.example.com | *.example.com Note: A certificate for *.example.com does not apply to the root domain, example.com |
| b.example.com/* | b.example.com | |
| c.example.com/bar | c.example.com |
A certificate must exist for each domain, subdomain, and wildcard domain specified in a URL redirect configuration if HTTPS is enabled.
Single-domain vs. Wildcard certificates
There are two types of certificates you can create within the NS1 Connect platform: single-domain or wildcard.
- A single-domain certificate can be used to cover one, static domain, such as example.com or sub.example.com.
- A wildcard certificate covers multiple subdomains based on the placement of the asterisk. For example, you can create a wildcard certificate, *.example.com, to cover all first-level subdomains under example.com.
Creating a certificate
If the redirect configuration enables HTTPS, an SSL/TLS certificate is required for the corresponding domain. Typically, the NS1 Connect platform will automatically generate a certificate based on the source URL(s) defined in the redirect configuration upon saving a new redirect if a corresponding certificate doesn’t already exist.
Follow the steps below to create an SSL/TLS certificate:
- Navigate to the Redirects > Certificates.
- Click Create.
- Select the type of certificate you are creating: single-domain or wildcard.
- Select the zone FQDN corresponding to this certificate.
- If applicable, select the record domain corresponding to this certificate. This may be the same as the zone (apex), or it can be a subdomain within the zone FQDN.
- Click Create.
Upon creating the certificate, its status is displayed on the Certificates page. Initially, the certificate status will be "In progress” until certificate generation is complete.
Certificate statuses
You can view the status of an SSL/TLS certificate on the Certificates page (within Redirects).
- In progress – The SSL/TLS certificate is being generated. Check back soon.
- Ready - The SSL/TLS certificate was generated successfully and is active.
- Error – Something went wrong. Hover over the error to view details, if
available. Common errors include:
- The rate limit was exceeded. You can only generate up to 50 certificates for an individual domain per week and only 10 certificates for any domain per hour. If certificate generation fails because you attempted to create more than 10 in one hour, the NS1 Connect platform will add the certificate to a queue and complete the operation as soon as possible.
- There was an issue due to a system timeout. Try refreshing the page. You may need to delete the certificate and recreate it.
- The domain associated with the certificate could not be found in the NS1 Connect platform; therefore, the platform could not create the TXT file within the corresponding zone. Ensure the DNS zone corresponding to this domain is created in your account before attempting to create a certificate.
The NS1 Connect platform will automatically renew expired SSL/TLS certificates.
Revoking (deleting) SSL/TLS certificates
- Navigate to Redirects > Certificates to view a list of certificates and their statuses.
- Select the checkbox next to one or more certificates you want to delete.
- Click Delete.