Note: This information about procuring a SSL Certificate is for Marketo's SSL for Landing Pages and Marketo’s SSL for Tracking Links services only.
For information on Marketo’s new Secured Domains for Landing Pages, please see: Overview & FAQ: Secured Domains for Landing Pages.
In an effort to move towards a safer web, several changes have been made to Chrome browser in 2017. First, in January 2017, Chrome began displaying a “Not Secure” warning in the address bar of websites that collect passwords or credit card information. In October 2017, Google released version 62 of Chrome browser and began adding the “Not Secure” warning when visitors start typing any information on HTTP pages. Here’s what this now looks like:
In addition to the two changes above, according to Google, Chrome browser will add the “Not Secure” warning for any requests to an HTTP pages at some point in the future. These moves indicate that HTTPS secured pages will become the de facto standard. You can learn more in our post: Upcoming Changes to the Chrome Browser
While these changes to Chrome will affect all landing pages across the web, when it comes to your Marketo landing pages, you have two options.
The first is to do nothing. Your landing pages and forms will continue to work as before. The only difference will be the “Not secure” notification that Chrome will add in the browser’s address bar when a visitor enters data on your page.
The second option is to secure your Marketo Landing Pages to HTTPS by purchasing a SSL for Landing Pages service from Marketo.
In this post, we’ll share an overview of the Marketo SSL for Landing Page Service and provide links to relevant FAQs.
Securing Your Marketo Landing Pages
By default, Marketo serves landing pages by HTTP, and we’ve given our customers the choice of whether or not to secure their Marketo landing pages to HTTPS. With the recent changes to Chrome browser, there’s increasing interest in securing Marketo landing pages to avoid the “Not Secure” warning visitors will see when entering data on HTTP pages.
Marketo’s SSL for Landing Pages service is an available add-on service to secure any and all landing page domains defined in your instance to HTTPS. Please contact your Marketo Customer Success Manager or Engagement Manager for more information or for a quote for this service.
Overview of the SSL for Landing Pages Process
To set up secure landing pages for your Marketo instance, there are steps that must be completed on Marketo’s side to setup a secured server for your pages, and steps that you’ll need to complete in your instance prior to the transition from HTTP to HTTPS.
Marketo will create a secure landing page server for your instance
On the Marketo side, we’ll install a new server end point on a dedicated IP address for your secured landing page server. Then we’ll install or confirm a new load balancer and reconfigure the internal DNS before installing the security certificate that we receive from you. This step requires significant Engineering time and coordination. Please expect up 3 weeks turn-around-time for this request.
Procure a TLS/SSL certificate and provide this to Marketo
On your side, you’ll first need to procure a SSL Certificate and provide it and the certificate private key to Marketo. You can have only one certificate in your Marketo instance, and it should be configured to cover all the domains in your instance. In the example shown below, the instance has a default landing page CNAME (the Landing Page Domain Name on the Landing Page tab), and two other CNAMES (the two Domain Aliases on the Rules tab). All of these would have to be covered by the certificate.
Please note: When it comes to securing your landing pages, all domains will be secured. It’s an all-or-nothing action, meaning you cannot chose to secure some domains and to keep others with HTTP.
With a complete list of domains in your instance, your IT or Web team can help guide you through generating a Certificate Signing Request (or CSR) and Private Key and using this to purchase a certificate from your preferred certificate authority. We recommend that you choose a certificate that is valid for a minimum of 2-years to avoid having to replace it annually. Once procured, you’ll need to provide the certificate and Private Key to Marketo for us to build your secured landing page server
For more information, please see our FAQ: Certificates for SSL for Landing Pages & SSL for Tracking Links
Ready your Marketo landing pages for the conversion to HTTPS
Next, you’ll need to ready the landing pages in your instance for the conversion to HTTPS. Below is a list of steps to review, update and reapprove your landing pages:
Unapprove and re-approve all landing pages. This can be done in bulk in the Landing Pages section of Design Studio by selecting a group of pages for unapprove and re-approve via the “Landing Page Actions” menu. If you have a developer, they can use Marketo’s API to unapproved/reapprove landing pages (see our Developer's site documentation here).
If you use Marketo Forms 1.0 on a non-Marketo webpage, you will need to update the post URL to HTTPS (Forms 2.0 does not need to be updated).
If you do a server-side post to a Marketo Form and use your CNAME as the Post URL, you also need to change that to HTTPS. Please note that server-side form posts are not supported and you should make a Marketo form submission in the background instead.
If you include a Marketo landing page on a secure website using an iframe, you will need update the HTML to load the secure version of the landing page, otherwise the end user will get a security warning.
If you use a Marketo Form on a non-Marketo page, you will need to update the follow-up URL to HTTPS if you’ve explicitly referenced a HTTP page.
Once you’ve completed the steps above, Marketo Professional Services will coordinate the cutover process with you. To help ensure a smooth transition, we’ll work with you to plan a time when you have few or no upcoming batch campaigns running, and also a time when your team is available, if needed, to make a few updates in your Marketo instance.
RECOMMENDATION: After the cutover, you may notice that your images are not displayed in the email editor or preview mode. Rest assured your emails will send correctly and the images will render for the recipients of your emails. To be sure that you can see the images in Marketo, you must adjust the image URLs from HTTP to HTTPS in the editor. Again, whether you take this step or not, the images will render properly for your email recipients. In the example below, you would adjust the HTTP to HTTPS.
That’s it – your landing pages will be served via HTTPS! Of course, it’s a good idea to do some validation of your pages after the cutover to be sure pages are loading correctly, images are loading, and that you didn’t miss any hard-coded HTTP links. Moving your pages to HTTPS, you can rest assured that you’re providing critical security and data integrity for both your pages and your visitors’ personal information. Good job, you!
Secured Branded Tracking Links
For those in highly regulated industries, your company may additionally require that you securely encrypt the Marketo tracking links embedded in Marketo emails. Remember that Marketo takes the URLs you place inside of emails and shortens them using the "Branded Tracking Link" domain (this is another CNAME you set up in Marketo under Admin--> Email). These tracking links are how Marketo enables you to track engagement with your emails.
To secure your email tracking links, contact your Marketo account manager for a quotation. The process is similar to securing your Marketo landing pages. You will need to generate a certificate to cover the branded tracking link domain (there’s only one per instance). We will then create a secure tracking links server for your instance, install your certificate, and update DNS entries.
It’s important to note that while you may not see the link displayed with HTTPS, it will leverage SSL data encryption over HTTPS.
For more information, please see the FAQ: SSL for Landing Pages & SSL for Tracking Links