Certificates for domains

You add the first SSL server certificate to a domain as part of creating the domain. Once a domain exists, you can add certificates to it at any time. You can also delete certificates from a domain. However, if the domain is associated with any networks, you cannot delete the last certificate.

For example, you might choose to add a certificate from a trusted vendor and then delete any self-signed certificates associated with the domain. Or, you might choose to add a certificate before the last valid certificate for the domain expires.

You can add a certificate to a domain in these ways:

  • By having HCP generate and install a new self-signed certificate. In this case, the new certificate has an expiration date that’s five years later than the current date.
  • By generating a certificate signing request (CSR), sending it to a certificate authority (CA), and installing the returned certificate.

    A domain can have only one outstanding CSR at a time.

  • By installing a certificate that’s created outside of HCP.

At any given time, the combined number of certificates and outstanding CSRs for a domain cannot exceed ten.

Certificate signing requests and returned certificates

SSL server certificates are available from several trusted sources. To obtain a certificate, you need to create a certificate signing request (CSR) and present it to a certificate authority (CA). The CA then generates the requested certificate and makes it available to you either as an email attachment, as text embedded in the body of an email, or as a download from a web page:

  • If the certificate is an email attachment, save it to disk.

    Use .cer as the extension for the certificate file name.

  • If the certificate is embedded in an email or downloadable from a web page, copy and paste it into a new text file. Then save the file to disk.
    ImportantUse a simple text editor to do this. Do not use Microsoft® Word or any other word-processing program to create the text file.

You can create a CSR by using the HCP System Management Console or a third-party tool. When you use the System Management Console, however, HCP securely stores the private key needed for installing the returned certificate, so you don’t need to save it yourself.

Certificates created outside HCP

You can create an SSL server certificate yourself by using a third-party tool such as OpenSSL, which is publicly available. Or, you can create a CSR yourself and use that to get a certificate from a CA.

Certificates created outside HCP have two passwords: one for the PKCS12 object containing the certificate and one for the private key for the certificate. To install the certificate in HCP, these passwords must be identical.