Provisioning SSL Certificates [Beta]

🚧

This feature is in beta

Please note, this feature is still in beta and may not be accessible in your account yet. Contact your account manager for more information.

Provisioning SSL certificates with Entri

Entri has the ability to automatically provision SSL certificates. Your happy customers will be able to secure custom, encrypted domains for your application instantly with no extra work required by your engineering team.

Configure your Entri account

Before you can provision SSL certificates on Entri, you'll need to provide some basic information. Log into the Entri Dashboard, navigate to the SSL section, and enter the following information:

  • The application_url, which is the URL of the application that responds to requests coming from your clients' URLs. This is also commonly referred to as an origin server.
  • Your company’s cname_target. This is the CNAME record that your customers need. It needs to be pointed to ssl.goentri.com` and will be the target domain for your clients’ requests, providing a layer of security and encryption.

For example, if you run saascompany.com. You would first create a CNAME record:

{  
  type: "CNAME",  
  host: "domains",  
  value: "ssl.goentri.com",
  ttl: 300,
}

Next, configure Entri to add a CNAME record pointing to domains.saascompany.com on your customer's domain:

{  
  type: "CNAME",  
  host: "www",  
  // In this example, domains.saascompany.com is the "cname_target"
  value: "domains.saascompany.com",
  ttl: 300,  
}

Provision a certificate

After you've configured your account for SSL, there are two methods of provisioning an SSL certificate for your customer's domain: utilizing the Entri modal, or making a direct API request.

Provisioning an SSL certificate via the Entri Modal (recommended)

Provisioning a certificate for a subdomain is effortless with the Entri modal. Add an extra property, ssl: true, to the CNAME record that will be set by Entri (as shown in the configuration object below) and set value to be {CNAME_TARGET}.

{CNAME_TARGET} will automatically use the CNAME target entered in the dashboard in step 1.

{
    type: "CNAME",
    host: "www",
    // This will match the CNAME target defined in the Entri dashboard in step 1
    value: "{CNAME_TARGET}",
    ttl: 300,
    ssl: true
}

We suggest this method because it guarantees that your user has properly added the required cname_target record. Without this CNAME record added to your customer's DNS, Entri cannot provision an SSL certificate.

Additionally, if the user has a conflicting CAA record, Entri will automatically fix it during the DNS setup process.

📘

For more information about configuring the Entri modal, see: Create the configuration object.

Provisioning an SSL certificate directly via API

You can also provision SSL certifcates without using the Entri modal in just 2 steps:

Step 1

To secure domains without displaying the Entri modal, you first need to make a GET request to our API which confirms that the domain you want to issue the SSL certificate for contains a CNAME record pointing to your cname_target

Use the following information for the GET Request:

Example using curl:

curl -X GET https://api.goentri.com/ssl
   -H "Content-Type: application/json"
   -H "Authentication: [yourClientSecret]"
   -H "applicationId: [yourApplicationID]"
   -d '{"domain": "www.test.com"}'

If the domain contains the required cname_target, then our API will return "eligible": true. If it does not contain cname_target, then our API will return "eligible": false

// domain is eligible for SSL
{  
  "eligible": true,
  "sslStatus": "inactive",
}

// domain is ineligible for SSL because cname record not been set up
{  
  "eligible": false,
  "sslStatus": "inactive",
}

If your GET request returned "eligible": true then you can proceed to the next step below.

🚧

Important Warning

Do NOT proceed with making a POST request in Step 2 (below) unless the domain returned "eligible": true in theGET request from Step 1. Otherwise, the POST request will be denied.

Step 2

After you have confirmed that your customer has added your cname_target and therefore is eligible for an SSL certificate, you can proceed with provisioning the SSL certificate via a POST request to our endpoint as detailed below:

Example using curl:

curl -X POST https://api.goentri.com/ssl 
   -H "Content-Type: application/json"
   -H "Authentication: [yourClientSecret]"
   -H "applicationId: [yourApplicationID]"
   -d '{"domain": "www.test.com"}'

Deprovision SSL certificates when domains are no longer active

To deprovision SSL certificates, make a DELETE request to our API using the following information:

Example using curl:

curl -X DELETE https://api.goentri.com/ssl 
   -H "Content-Type: application/json"
   -H "Authentication: [yourClientSecret]"
   -H "applicationId: [yourApplicationID]"
   -d '{"domain": "www.test.com"}'