SSL Certificates FAQ
Which vendor should we buy our SSL certificate from?
Marketo does not recommend any single provider, but the following SSL Providers are commonly used:
- Network Solutions
These certificates are recognized by most web browsers. Certain premium certificates will also show your name in the URL bar (usually in a green bar). These are more expensive and it will take more time to issue those, because the SSL vendor will do more background checks before issuing such a certificate.
What format does the certificate need to be?
When you download your certificate at the certificate vendor, please choose the PEM format, which is the standard format for Apache. If you are not able to get the certificate in the PEM format, please check with us: we may be able to convert it to the PEM format on our end.
Often, you will also need to include root or intermediate certificates. These are additional certificates to guarantee the main certificate is recognized in all browsers. Here are some examples:
- GoDaddy: gd_bundle.crt
- Verisign: Symantec Secure Site Pro Intermediate CA Bundle
These are just examples: please check with your SSL vendor to include the correct files for your particular certificate.
How to generate the CSR?
Use the OpenSSL format to generate the CSR (http://www.openssl.org). Normally, your IT department or web server administrator will know how to do this. They will provide you with 2 files:
- The CSR -> provide this when you purchase the certificate
- The private key -> provide this to Marketo, together with the certificate
If IT or the web team can’t provide this to you, you can fairly easily generate the CSR yourself. First, install OpenSSL. If you are on Windows, download it here: http://slproweb.com/products/Win32OpenSSL.html.
As of this writing, the current version is “Win32 OpenSSL v1.0.1e Light” (which also works on 64-bit Windows). It installs into C:\OpenSSL-Win32 by default. Then go https://www.digicert.com/easy-csr/openssl.htm to generate the command line instructions that you’ll need to generate the CSR. This is an example:
openssl req -new -newkey rsa:2048 -nodes -out pages_marketo_com.csr -keyout pages_marketo_com.key -subj "/C=US/ST=California/L=San Mateo/O=Marketo Inc./CN=pages.marketo.com"
Copy this to the clipboard. Then click on the Start menu, type “cmd” in the search box, right-click on the “cmd” program and select “Run as Administrator”. Click “Yes” if there is a security warning. Type the following on the command line:
Then press the “enter” key.
This brings you to the “bin” directory inside the OpenSSL directory. Then paste the code from the digicert website into the command window (click on the icon on the top left of the window to pull out the menu):
Then press the “enter” key and your CSR and private key will be saved in C:\OpenSSL-Win32\bin.
If you don’t want to install OpenSSL on your computer, you can use an online CSR Generator, for example: https://www.trustico.com/ssltools/create/csr-pem/create-a-new-csr-instantly.php. However, please realize that this exposes your private key to the operator of that website, meaning that they could theoretically purchase an SSL certificate that is registered in your name. Use this option as a last resort, and realize that Marketo does not assume responsibility for the security of private keys that are generated in this way.
Can I use a 1-year Certificate?
You can, but it will be more work on your end to download a new certificate every year, with a risk of the certificate expiring. We recommend using certificates that are valid at least 2 years, which is also usually cheaper per year.
Can we provide you with more than 1 certificate?
No, unfortunately this is not technically possible in our server architecture. If you need to secure multiple domains, please provide us with a wildcard certificate for multiple subdomains (*.company.com) or a SAN Certificate (also called UCC certificate). With a SAN certificate you can include multiple domains in a single certificate (they need to be full domains, wildcards can’t be used).
Do secure landing pages affect the CNAME for our branded tracking links?
No, the CNAME entry for branded tracking links remains unchanged.
Do I need always need a Private Key?
A private key is required for every certificate. With the private key you can generate the CSR (often, the private key is auto-generated when you generate the CSR). You will then purchase the certificate with the CSR, but we will still need to install the private key on the Marketo server, otherwise the certificate will not work.
Example private key:
Why does it take about 3 weeks for Marketo to install the certificates?
To enable secure landing pages, we need to set up a dedicated landing page server for your organization. Non-secure landing pages are served from a shared web server, which is not suitable for secure pages.
Setting up a dedicated secure landing page server takes some time because there is a lot of back-end work involved, done by one of our network engineers: we will assign a new IP address for your new landing page server, install a new load balancer, reconfigure our internal DNS and install the certificate. We depend on external vendors for part of these tasks.
Checking & Changing the TTL
At least 1 day before the switch-over to the new secure landing pages, change the TTL of your CNAME to at most 300 seconds. In your DNS admin panel, you can set the TTL. If you don’t have access to the DNS admin panel, you can use this website to look up the TTL of your CNAME:
This must be at most 300 seconds, so that changes to the CNAME entry will propagate in 5 minutes, otherwise web browsers may have cached your old CNAME setting and still go to the old insecure landing pages for hours or days.
Will URLs to my existing non-secure Marketo Landing Pages continue to work?
Yes, your existing Marketo landing pages will be redirected to the secure pages. There are only few situations where you must manually update the URL, specifically when you include a Marketo landing page on a secure website using an iframe: you will need to load the secure version of the landing page, otherwise the end user will get a security warning.
Converting Marketo Landing Pages to SSL does not affect any pages on your main (non-Marketo) website.
What do I need to do after go-live?
Do the following things:
- Re-approve all landing pages, which you can do in bulk by going to Design Studio, then clicking on “Landing Pages”. You can now multi-select pages and unapproved and approve again via the “Landing Page Actions” menu.
- If you include a Marketo landing page on a secure website using an iframe, you will need to load the secure version of the landing page, otherwise the end user will get a security warning.
- If you use a Marketo Form on a Non-Marketo Page, you will need to update the Post URL to HTTPS.
- If you do a server-side post to a Marketo Form and you use your CNAME as the Post URL, you also need to change that to HTTPS.