FAQ: Certificates for SSL for Landing Pages & SSL for Tracking Links

Version 17

    Note: This information about procuring a SSL Certificate is for Marketo's SSL for Landing Pages and Marketo’s SSL for Tracking Links services only.

    For information on Marketo’s new Secured Domains for Landing Pages, please see: Overview & FAQ: Secured Domains for Landing Pages . With Secured Domains for Landing Pages, Marketo procures the necessary certificate(s) and manages renewals.



    What types of certificate do you need?

    Our Professional Services team can help you determine the best certificate option for your instance, choosing from:

    • Standard certificate, covering a single domain such as www.mydomain.com
    • Wildcard certificate, covering any subdomain within a domain, such as *.mydomain.com
    • A SAN Certificate, which is capable of covering multiple domains, such as *.mydomain.com, pages.myotherdomain.com, and info.mycompany.com. Note you must have a valid claim to all of the domains listed in order to purchase the certificate



    Which vendor should you buy your SSL certificate from? 

    Marketo does not recommend any single provider, but the following SSL Providers are commonly used:

    • Comodo
    • DigiCert
    • GoDaddy
    • Network Solution

    These certificates are recognized by most web browsers. Certain premium certificates will also show your name in the URL bar (usually in a green bar). These are more expensive and it will take more time to issue those, because the SSL vendor will do more background checks before issuing such a certificate.


    Note: Starting with Chrome 66, Chrome will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Chrome 66 is currently scheduled to be released to Chrome Beta users on March 15, 2018 and to Chrome Stable users around April 17, 2018. More information is available from the Google Security Blog.



    What format does the certificate need to be?

    When you download your certificate at the certificate vendor, please choose the PEM format, which is the standard format for Apache. If you are not able to get the certificate in the PEM format, please check with us: we may be able to convert it to the PEM format on our end.

    Often, you will also need to include root or intermediate certificates. These are additional certificates to guarantee the main certificate is recognized in all browsers. Here are some examples:

    • GoDaddy: gd_bundle.crt
    • Verisign: Symantec Secure Site Pro Intermediate CA Bundle

    These are just examples: please check with your SSL vendor to include the correct files for your particular certificate.



    How do you generate the CSR?

    Use the OpenSSL format to generate the CSR.  Normally, your IT department or web server administrator will know how to do this. They will provide you with 2 files:

    • The CSR -> provide this when you purchase the certificate
    • The private key -> provide this to Marketo, together with the certificate

    If IT or the web team can’t provide this to you, you can fairly easily generate the CSR yourself. First, install OpenSSL. If you are on Windows, download it here: Shining Light Productions - Win32 OpenSSL


    Next, go to OpenSSL CSR Tool - Create Your CSR Faster | DigiCert.com to generate the command line instructions that you’ll need to generate the CSR. This is an example:


    openssl req -new -newkey rsa:2048 -nodes -out pages_marketo_com.csr -keyout pages_marketo_com.key -subj "/C=US/ST=California/L=San Mateo/O=Marketo Inc./CN=pages.marketo.com"


    Copy this to the clipboard. Then click on the Start menu, type “cmd” in the search box, right-click on the “cmd” program and select “Run as Administrator”. Click “Yes” if there is a security warning. Type the following on the command line:


    cd C:\OpenSSL-Win32\bin


    Then press the “enter” key.



    This brings you to the “bin” directory inside the OpenSSL directory. Then paste the code from the Digicert website into the command window (click on the icon on the top left of the window to pull out the menu):



    Then press the “enter” key and your CSR and private key will be saved in C:\OpenSSL-Win32\bin.


    If you don’t want to install OpenSSL on your computer, you can use an online CSR Generator, for example: Create Certificate Signing Request (CSR) • Trustico®  However, please realize that this exposes your private key to the operator of that website, meaning that they could theoretically purchase an SSL certificate that is registered in your name. Use this option as a last resort, and realize that Marketo does not assume responsibility for the security of private keys that are generated in this way.



    What is the recommended Certificate term (1-year, 2-year)?

    Marketo recommends using certificates that are valid for at least 2 years. If you anticipate a domain name change in the near future, a shorter term may be prudent.



    Can you provide Marketo with more than one certificate? 

    No, this is not technically possible in our server architecture. If you need to secure multiple domains, please provide us with a wildcard certificate for multiple subdomains (*.company.com) or a SAN Certificate (also called UCC certificate). With a SAN certificate you can include multiple domains in a single certificate. (They need to be full domains, wildcards can’t be used.)



    Do secure landing pages affect the CNAME for your branded email tracking links? 

    No, the CNAME entry for branded email tracking links remains unchanged.



    Do you need to provide a Private Key?

    A private key is required for every certificate. With the private key you can generate the CSR (often, the private key is auto-generated when you generate the CSR). You will then purchase the certificate with the CSR, but we will still need to install the private key on the Marketo server, otherwise the certificate will not work.


    Example private key:

    -----BEGIN PRIVATE KEY----- ABCDv12345ANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDhBMDjqxbGdlkrxGts6s0PhXTTYu3V6fFzTwrRWldN0GGAm1yfWDUjQssjVY0GYsIELh5SbBut6tWk4vN9/DpfZjHhgvyLv/xNxKyzjDc2tBf3HlrY1hmbg0de6Xx/LBbMy0ZJAwuKbly+0spnAyzb1diIV9VCxPglSJQ1v2C1/fKvSo/tXF11auvONLb2bWMm7I6Bd5NkDuTEy2Fi98u4Qyyboh4C0rPgzyQLzmTqB99X9k1GIQtmsqg/CIa2ra02cb4I/ymrJ6q9sjOvqLT8c3HDuArVoVW0XQUvrNDcpk8X8Yr2RgVxaCcnar04QPNveSSGqzRNWNS4CL0arElVAgMBAAECggEAG8waiAV6qsmz+lQpcSsQafpylCqEdwiPa084ZuRiJJq5cMnAh26+Ibz+mz7WTROmJB4OYOA6CyIXgmcG7WlbTK2zO8iSqjDtWi4Rp5yKtZdJ3p1BW8gXIb718iOl3Y/0wRfbdumJY3B+xJQFrPQXdpDUTwOKtNTgUrrElF8v80tQb7sDQIrluxcLjE1z8NWDWiw89ajbP3DQ9EQ8OPzjs+Wz5BBkvaxftFYF7MwsjbcjK+CLwTooTdd8M54s6HLzppKtdXQ4w1WtPsZvQYCqWoHEVl2uHw6ZznlC/1RYAddZCKsTS5bVdlxG70KctXRoO+5HXdqyJ9GvuRm8xjboAQKBgQD8ZkieLws0EowRuCtEu9e7YYCuAXd81on9k0QzMKvIaO2/FktxoCdTh+3VCOaqWeRxy5TiPqmLSDguvlicKxTeAi+K9tIyQS5QZ64HQ/8QwNYkDrvgaTjZpihZ18dl8+CM3DP80qEH6iDEtVDr4LARpa8/p6X91WzP3ib7mjVdBQKBgQDkOnrEWbIaBN6kWg18Zs6xZM1LsmjJY6bJsFojJ2Jg4cFzSH3bf3jdy4t7caMh9zsttLy/+BobsTRWv5mjgXuWvq7Ywi+Nb5atrGntbzTnKwqe54Oc3dcAs4wmAyyFhyYMGTUVAvHbuEyHhQY2x1dHeCDPPQ7TOhO/tCTbz8dsEQKBgFM+rO63F1vaTiY99s9ZoOJlWxqI007yN1rR6mlzwQR9TwR6JvHX34CWUWO05tcChOzfN0CTaDnO3PDVyMXhE6XRVLrhgxweEVdliqlMzOBKqZYE4gQ20BBA1AgludcvYz0yF1doZMIGfz5BiunxFkELw0wcUAvzC0tXusW666S9AoGAVI213fi9GxaixZD3XhdYjDAkPt8iIzpgGGjVfCCjOfFpkiRRPHjFdqZqTpmTLopBynUjWJu6UHgeQ+VILmNSPk72yCdpJqUo1b8Cn4yLtPklPinXgM5PUVszmQGkBPRFDEZqfBZTNGvbLnoCC1le5IOE5EJis67YkjVTUnxwDYECgYEAwDhnnyL9LF25JJWvNm6IH4IVdTxNn3XGWLrQgUfu1yJwdeU5Qas66bMlt4tcjUOoX5Dq5A0SaEXxgFTlvFg5c7quYqJ3XkP/+ibONdnkcah2/Ji/0zTZ9WHAXi+afDuQytA1rTuK//ABcdEF123ghi456JKlm= -----END PRIVATE KEY-----


    Why does it take about 3 weeks for Marketo to install the certificate? 

    To enable secure landing pages, we need to set up a dedicated landing page server for your organization.We will assign a new IP address for your new landing page server, install a new load balancer, reconfigure our internal DNS and install the certificate. This takes engineering time and coordination.


    Will the Munchkin JavaScript API also be encrypted via SSL?

    Yes, calls to the Munchkin JavaScript API automatically switch to SSL if the page on which the calls are made is SSL encrypted.