SSL Certificates and Marketo FAQ

Version 8

    Which vendor should you buy your SSL certificate from? 

    Marketo does not recommend any single provider, but the following SSL Providers are commonly used:

    • VeriSign
    • Thawte
    • Geotrust
    • Comodo
    • DigiCert
    • GoDaddy
    • Network Solutions
    • RapidSSL

    These certificates are recognized by most web browsers. Certain premium certificates will also show your name in the URL bar (usually in a green bar). These are more expensive and it will take more time to issue those, because the SSL vendor will do more background checks before issuing such a certificate.



    What format does the certificate need to be?

    When you download your certificate at the certificate vendor, please choose the PEM format, which is the standard format for Apache. If you are not able to get the certificate in the PEM format, please check with us: we may be able to convert it to the PEM format on our end.

    Often, you will also need to include root or intermediate certificates. These are additional certificates to guarantee the main certificate is recognized in all browsers. Here are some examples:

    • GoDaddy: gd_bundle.crt
    • Verisign: Symantec Secure Site Pro Intermediate CA Bundle

    These are just examples: please check with your SSL vendor to include the correct files for your particular certificate.



    How do you generate the CSR? 

    Use the OpenSSL format to generate the CSR.  Normally, your IT department or web server administrator will know how to do this. They will provide you with 2 files:

    • The CSR -> provide this when you purchase the certificate
    • The private key -> provide this to Marketo, together with the certificate

    If IT or the web team can’t provide this to you, you can fairly easily generate the CSR yourself. First, install OpenSSL. If you are on Windows, download it here:

    Then go to generate the command line instructions that you’ll need to generate the CSR. This is an example:


    openssl req -new -newkey rsa:2048 -nodes -out pages_marketo_com.csr -keyout pages_marketo_com.key -subj "/C=US/ST=California/L=San Mateo/O=Marketo Inc./"


    Copy this to the clipboard. Then click on the Start menu, type “cmd” in the search box, right-click on the “cmd” program and select “Run as Administrator”. Click “Yes” if there is a security warning. Type the following on the command line:


    cd C:\OpenSSL-Win32\bin


    Then press the “enter” key.

    This brings you to the “bin” directory inside the OpenSSL directory. Then paste the code from the Digicert website into the command window (click on the icon on the top left of the window to pull out the menu):


    Then press the “enter” key and your CSR and private key will be saved in C:\OpenSSL-Win32\bin.


    If you don’t want to install OpenSSL on your computer, you can use an online CSR Generator, for example: However, please realize that this exposes your private key to the operator of that website, meaning that they could theoretically purchase an SSL certificate that is registered in your name. Use this option as a last resort, and realize that Marketo does not assume responsibility for the security of private keys that are generated in this way.



    What is the recommended Certificate term (1-year, 2-year, 5-year)?

    Marketo recommends using certificates that are valid for at least 2 years. If you anticipate a domain name change in the near future, a shorter term may be prudent.



    Can you provide Marketo with more than one certificate? 

    No, this is not technically possible in our server architecture. If you need to secure multiple domains, please provide us with a wildcard certificate for multiple subdomains (* or a SAN Certificate (also called UCC certificate). With a SAN certificate you can include multiple domains in a single certificate. (They need to be full domains, wildcards can’t be used.)



    Do secure landing pages affect the CNAME for your branded email tracking links? 

    No, the CNAME entry for branded email tracking links remains unchanged.



    Do you need always need a Private Key?

    A private key is required for every certificate. With the private key you can generate the CSR (often, the private key is auto-generated when you generate the CSR). You will then purchase the certificate with the CSR, but we will still need to install the private key on the Marketo server, otherwise the certificate will not work.


    Example private key:

    -----BEGIN PRIVATE KEY----- ABCDv12345ANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDhBMDjqxbGdlkrxGts6s0PhXTTYu3V6fFzTwrRWldN0GGAm1yfWDUjQssjVY0GYsIELh5SbBut6tWk4vN9/DpfZjHhgvyLv/xNxKyzjDc2tBf3HlrY1hmbg0de6Xx/LBbMy0ZJAwuKbly+0spnAyzb1diIV9VCxPglSJQ1v2C1/fKvSo/tXF11auvONLb2bWMm7I6Bd5NkDuTEy2Fi98u4Qyyboh4C0rPgzyQLzmTqB99X9k1GIQtmsqg/CIa2ra02cb4I/ymrJ6q9sjOvqLT8c3HDuArVoVW0XQUvrNDcpk8X8Yr2RgVxaCcnar04QPNveSSGqzRNWNS4CL0arElVAgMBAAECggEAG8waiAV6qsmz+lQpcSsQafpylCqEdwiPa084ZuRiJJq5cMnAh26+Ibz+mz7WTROmJB4OYOA6CyIXgmcG7WlbTK2zO8iSqjDtWi4Rp5yKtZdJ3p1BW8gXIb718iOl3Y/0wRfbdumJY3B+xJQFrPQXdpDUTwOKtNTgUrrElF8v80tQb7sDQIrluxcLjE1z8NWDWiw89ajbP3DQ9EQ8OPzjs+Wz5BBkvaxftFYF7MwsjbcjK+CLwTooTdd8M54s6HLzppKtdXQ4w1WtPsZvQYCqWoHEVl2uHw6ZznlC/1RYAddZCKsTS5bVdlxG70KctXRoO+5HXdqyJ9GvuRm8xjboAQKBgQD8ZkieLws0EowRuCtEu9e7YYCuAXd81on9k0QzMKvIaO2/FktxoCdTh+3VCOaqWeRxy5TiPqmLSDguvlicKxTeAi+K9tIyQS5QZ64HQ/8QwNYkDrvgaTjZpihZ18dl8+CM3DP80qEH6iDEtVDr4LARpa8/p6X91WzP3ib7mjVdBQKBgQDkOnrEWbIaBN6kWg18Zs6xZM1LsmjJY6bJsFojJ2Jg4cFzSH3bf3jdy4t7caMh9zsttLy/+BobsTRWv5mjgXuWvq7Ywi+Nb5atrGntbzTnKwqe54Oc3dcAs4wmAyyFhyYMGTUVAvHbuEyHhQY2x1dHeCDPPQ7TOhO/tCTbz8dsEQKBgFM+rO63F1vaTiY99s9ZoOJlWxqI007yN1rR6mlzwQR9TwR6JvHX34CWUWO05tcChOzfN0CTaDnO3PDVyMXhE6XRVLrhgxweEVdliqlMzOBKqZYE4gQ20BBA1AgludcvYz0yF1doZMIGfz5BiunxFkELw0wcUAvzC0tXusW666S9AoGAVI213fi9GxaixZD3XhdYjDAkPt8iIzpgGGjVfCCjOfFpkiRRPHjFdqZqTpmTLopBynUjWJu6UHgeQ+VILmNSPk72yCdpJqUo1b8Cn4yLtPklPinXgM5PUVszmQGkBPRFDEZqfBZTNGvbLnoCC1le5IOE5EJis67YkjVTUnxwDYECgYEAwDhnnyL9LF25JJWvNm6IH4IVdTxNn3XGWLrQgUfu1yJwdeU5Qas66bMlt4tcjUOoX5Dq5A0SaEXxgFTlvFg5c7quYqJ3XkP/+ibONdnkcah2/Ji/0zTZ9WHAXi+afDuQytA1rTuK//ABcdEF123ghi456JKlm= -----END PRIVATE KEY-----


    Why does it take about 3 weeks for Marketo to install the certificate? 

    To enable secure landing pages, we need to set up a dedicated landing page server for your organization. Non-secure landing pages are served from a shared web server, which is not suitable for secure pages.


    Setting up a dedicated secure landing page server takes some time because there is a lot of back-end work involved, done by one of our network engineers. We will assign a new IP address for your new landing page server, install a new load balancer, reconfigure our internal DNS and install the certificate.



    Checking & Changing the TTL

    At least one day before the switch-over to the new secure landing pages, change the TTL of your CNAME to at most 300 seconds. In your DNS admin panel, you can set the TTL. If you don’t have access to the DNS admin panel, you can use this website to look up the TTL of your CNAME:



    This must be at most 300 seconds, so that changes to the CNAME entry will propagate in 5 minutes. Otherwise web browsers may have cached your old CNAME setting and still go to the old insecure landing pages for hours or days.



    Will URLs for your existing non-secure Marketo Landing Pages continue to work? 

    Yes, your existing Marketo landing pages will be redirected to the secure pages. There are only few situations where you must manually update the URL, specifically when you include a Marketo landing page on a secure website using an iframe. You will need to load the secure version of the landing page, otherwise the end user will get a security warning.


    Converting Marketo Landing Pages to SSL does not affect any pages on your main (non-Marketo) website.



    What do you need to do after go-live? 

    Do the following things:

    • Re-approve all landing pages, which you can do in bulk by going to Design Studio, then clicking on “Landing Pages”. You can select all pages and unapprove and re-approve via the “Landing Page Actions” menu.
    • It is also recommended to change all images, JavaScript files and other external links in landing pages to HTTPS, otherwise users may get an “Insecure Content on Secure Pages” error.
    • If you include a Marketo landing page on a secure website using an iframe, you will need update the HTML to load the secure version of the landing page, otherwise the end user will get a security warning.
    • If you use a Marketo Form on a Non-Marketo Page, you will need to update the Post URL to HTTPS.
    • If you do a server-side post to a Marketo Form and use your CNAME as the Post URL, you also need to change that to HTTPS.  Please note that server-side form posts are not supported and you should make a Marketo form submission in the background instead.


    Will the Munchkin JavaScript API also be encrypted via SSL?

    Yes, calls to the Munchkin JavaScript API automatically switch to SSL if the page on which the calls are made is SSL encrypted.