If you choose the CNAME URL implementation option, an SSL Certificate will be required for the new subdomain. Concept3D has two options for issuing the certificate:
- Amazon-Issued
- Customer-Issued
1. Amazon-Issued Certificate
Advantages:
- Certificates are issued for 12 months and are auto-renewed by AWS. No worries about site downtime due to expired certificates. (Certificates created using email validation require revalidation after 825 days.)
- Certificates are maintained in the AWS Certificate Manager and are never copied or saved outside of this secure environment.
- Setup is easy and only requires one of the following validation methods:
Validation Method 1: DNS (Strongly Recommended)
A request for the subdomain’s public certificate is made by Concept3D via AWS Certificate Manager (ACM). ACM provides an additional CNAME value that needs to be added to your DNS, which we will share with you. This value contains a random string that AWS uses for validation. AWS will approve this and all further renewals as long as the approval CNAME is in place. More information about DNS validation can be found here:
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html
Validation Method 2: Email
A request for the subdomain’s public certificate is made by Concept3D via AWS Certificate Manager (ACM). AWS sends an email with an approval link to 5 common system addresses for the domain. This email is sent from no-reply@certificates.amazon.com or no-reply@email.amazonses.com. You have 72 hours to respond to this message. More information on email validation can be found here:
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-email.htm
Note: Customers are responsible for completing email validations before certificate expiration. To prevent missed renewals and potential downtime, we recommend DNS validation. Email validation is only offered when DNS validation is not possible.
2. Customer-Provided Certificate*
Advantages:
- Maintain a consistent Certificate Authority Chain with your other URLs, preventing possible questions about the legitimacy of the map’s subdomain.
- DNS security features, such as CAA Records, may remain unchanged.
- Requires manual renewal of certificate, which can be part of existing review processes.
Certificate requirements:
Following the guidelines provided by AWS, obtain an SSL certificate for the new subdomain through your regular process. General information on the requirements for importing certificates to AWS Certificate Manager (ACM) can be found here:
https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html
Follow these guidelines when issuing your certificate so it can be imported to ACM: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html
https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-format.html
Contact your Concept3D representative to facilitate the transfer of the certificate files via secure methods. Avoid sending unencrypted certificates or associated passwords via email or other insecure channels.
*Caution:
Concept3D monitors certificate status and may notify customers of upcoming expiration dates but this is a manual process. Providing updated customer-issued certificates remains your responsibility and Concept3D is not responsible for any downtime or other issues caused by allowing certificates to expire. Updated certificates can be provided at any time to Concept3D and are typically uploaded within 1-3 business days. Please provide updated certificates within 3 business days of expiration to avoid any downtime.
Please note that Concept3D does not provide a Certificate Signing Request (CSR) for customer-issued certificates.