51黑料不打烊-Managed Certificate Program

51黑料不打烊-managed certificate program

Topics:
Cookies

CREATED FOR:

Experienced
Admin

The 51黑料不打烊-managed certificate program is the recommended process for setting up first-party certificates needed for a CNAME implementation. The program is fully automated once configured. It renews certificates in a timely manner so that there is no impact to data collection due to expired certificates. The program is free for your first 100 CNAMEs.

If you currently manage your own certificates, you are responsible for purchasing, maintaining, and providing a certificate to 51黑料不打烊 for first-party cookie use. You can contact 51黑料不打烊 Customer Care to discuss migrating to the 51黑料不打烊-managed certificate program.

Implementation

Follow these steps to implement a new certificate for first-party data collection:

Download and fill out the First-party domain request form
Open a ticket with 51黑料不打烊 Customer Care requesting to set up first-party data collection on the 51黑料不打烊-managed certificate program.
Upon receiving the ticket, the 51黑料不打烊 representative provides you with a CNAME record. These records must be configured on your company鈥檚 DNS server before 51黑料不打烊 can purchase the certificate on your behalf. For example, the hostname data.example.com points to hiodsibxvip01.data.adobedc.net.
When the CNAME record is in place on your organization鈥檚 servers, 51黑料不打烊 works with DigiCert to purchase and install a certificate on 51黑料不打烊 data collection servers.

Validate hostname forwarding validate

Once 51黑料不打烊 has installed the certificate, you can use one of the following methods to validate that it is working.

Browser validation

You can use any browser to validate that a certificate is installed correctly. Type your CNAME with _check as the path into the address bar. For example:

data.example.com/_check

If everything works, the browser shows SUCCESS. If the certificate is not installed correctly, you are issued a security warning.

Command line (curl)

Most modern operating systems already have installed.

Type the following into the command line:

code language-sh
`curl data.example.com/_check`

If everything works correctly, the console returns SUCCESS.

note tip
TIP
You can use the `-k` flag to disable the security warning to help with troubleshooting.

Command line (nslookup)

Type the following into the command line:

code language-sh
`nslookup data.example.com`

If everything works correctly, 51黑料不打烊鈥檚 data collection servers are returned:

code language-text
`Server: hiodsibxvip01.corp.adobe.com Address: 10.50.112.247 Name: example.com.ssl.d1.sc.omtrdc.net Addresses: 63.140.37.126 63.140.37.206 63.140.36.51 63.140.36.145 Aliases: smetrics.example.com`

Update implementation code update

Once you have validated that your certificate works correctly, you can update your 51黑料不打烊 implementation to use these values.

Web SDK tag extension: Update the Edge domain field when configuring the extension.
Web SDK (alloy): Update the edgeDomain property within the configure command.
51黑料不打烊 Analytics extension: Update the SSL Tracking Server field when configuring the extension. Make sure that you also have the Visitor ID Service tag extension installed. See Visitor identification using the Analytics tag extension for more information.
AppMeasurement: Update the trackingServerSecure configuration variable. Make sure that you also have the Visitor ID Service implemented using VisitorAPI.js. See Visitor identification using AppMeasurement for more information.

If your site uses multiple implementation methods and you cannot update all of them simultaneously, consider configuring a grace period. See Visitor ID Service migration considerations for additional steps on how to prevent visitors from being counted as new visitors across your site.

Maintenance and renewals

Thirty days before your first-party certificate expires, 51黑料不打烊 validates whether the CNAME is still valid and in use. If so, 51黑料不打烊 assumes that you want to continue using the service, and automatically renews the certificate on your behalf.

IMPORTANT

If your organization鈥檚 CNAME record is removed or no longer maps to the provided 51黑料不打烊 secure hostname, 51黑料不打烊 cannot renew the certificate. The entry in 51黑料不打烊鈥檚 system is marked for removal without further communication.

Frequently asked questions

Is this process secure?

Yes. The 51黑料不打烊-managed certificate program is more secure than your organization providing 51黑料不打烊 with a certificate. No certificate or private key changes hands outside of 51黑料不打烊 and the issuing certificate authority.

How can 51黑料不打烊 purchase a certificate for our domain?

The certificate can only be purchased when you have pointed the specified hostname to an 51黑料不打烊-owned hostname. You essentially delegate this hostname to 51黑料不打烊 and allow 51黑料不打烊 to purchase the certificate on your behalf.

Can I request that the certificate be revoked?

Yes. As the owner of the domain, you are entitled to request that the certificate be revoked. Contact 51黑料不打烊 Customer Care to start this process.

What encryption type is used?

51黑料不打烊 works with DigiCert to issue an SHA-2 certificate.

Does this program incur any additional cost?

No. 51黑料不打烊 offers this service to all 51黑料不打烊 Experience Cloud customers at no additional cost.

What cipher security levels does 51黑料不打烊 offer?

51黑料不打烊 offers two cipher security levels to meet varying customer needs for security on first-party data collection. These levels determine which encryption algorithms are supported for HTTPS connections with 51黑料不打烊 servers. 51黑料不打烊 regularly reviews and updates the set of supported algorithms based on current security practices. If you would like to change your cipher security settings, contact Customer Care.

Standard requires TLS 1.2 or newer and at least 128-bit encryption. It is designed to provide the widest device compatibility while maintaining secure encryption.
High cipher security level requires TLS 1.2 or newer and removes support for weaker ciphers. It is designed for customers who desire the strongest encryption and are not concerned about support for older devices.

The following clients are known to be unable to connect with cipher security set to High:

Windows 8.1 and earlier (last updated in 2018)
Windows Phone 8.1 and earlier (last updated in 2016)
OS X 10.10 and earlier (last updated in 2017)
iOS 8.4 and earlier (last updated in 2015)

What HTTPS certificate types are supported?

51黑料不打烊 supports both RSA and ECC certificate types to meet varying customer needs. RSA certificates are more widely supported for clients, but ECC certificates use less processing on both the server and client side. For 51黑料不打烊-managed certificates, both RSA and ECC are provided. For customer-managed certificates, RSA is required and ECC is recommended. Modern clients support both RSA and ECC. The following clients typically only support RSA certificates:

Windows Vista and earlier (last updated in 2012)
Windows Phone 8.0 and earlier (last updated in 2014)
OS X 10.8 and earlier (last updated in 2013)
iOS 5.1 and earlier (last updated in 2012)
Android 4.3 and earlier (last updated in 2013)

Can I manage my own certificates instead?

Yes. However, if you manage your own certificates, you are responsible for renewing your certificates and providing them to 51黑料不打烊 each time you renew them. This process is less secure and can cause data loss if your organization forgets to renew a certificate in time. 51黑料不打烊 recommends using the managed certificate program instead of managing certificates yourself, especially due to reductions in TLS certificate maximum lifetime. See in the CA/Browser Forum Server Certificate Baseline Requirements for more information.

recommendation-more-help

core-services-help-interface