Hypertext Transfer Protocol Secure (HTTPS) is a communications protocol for secure communication over a computer network. The protocol applies Transport Layer Security cryptography to minimize the risk of unwanted/unknown third parties intercepting the transmission.
Higher Logic websites support HTTPS. In addition, the technical and often onerous process of acquiring a certificate has already been performed for your domain(s). Higher Logic default certificates from LetsEncrypt.org can be quickly applied to any domain in the Admin interface.
To manage your domains and certificates:
- Access the Admin interface.
- Navigate to Pages > Sites > Domain Settings.
NOTE: Some customers might want to use a unique/branded certificate. Externally-purchased certificates can also be applied to domains used by Higher Logic websites. This can be configured by a Higher Logic staff admin with the login credentials for managing the domain.
Add a default certificate
You can apply certificates supplied by Higher Logic to any domain that has been validated. Validation requires a CNAME that points at TENANT.connectedcommunity.org (where TENANT is the value found on the Admin > Pages > Sites > Domain Settings page.
NOTE: To learn more about CNAME and domains, see Higher Logic Community CNAME/DNS Instructions.
NOTE: Higher Logic does not provide certificates for "naked" or "root" domains. If you want to use one, you must purchase it from a Certificate Authority and add it to the Certificates page in the Admin interface:
TIP: If you need a Certificate Signing Request, visit csr.higherlogic.com, and complete all fields.
Steps to generate a default certificate
- Click the dropdown to the right of the list title and select Certificates.
- Click the plus symbol (+) to the right of the page title.
- Select Generate a free certificate.
- Select one of your organization's domains from the dropdown.
- Click Add.
The system will automatically enable the default certificate. This process will take approximately 20 to 30 minutes.
NOTE: Default certificates are generated via LetsEncrypt.org. These certificates will display Set to Auto-Renew. If the auto-renew fails, Failed Auto-Renewal will display.
Import a unique certificate
The process of purchasing, requesting, and validating the request can happen outside Higher Logic (typically, through the domain registrar). This process uses encryption in multiple steps and is quite complex.
- If you have the technical knowledge to complete this process, follow the steps below.
- If you don't have the technical knowledge, or are not comfortable performing these steps, create a case. We will either work with you to achieve the security standard or perform the steps ourselves, if provided domain login credentials.
TIP: Higher Logic recommends implementing reminders for when your custom certification(s) will expire; the best practice is to ensure a replacement certification is ready prior to the previous one's expiration.
These instructions are divided into two sets:
- The external process you'll need to complete to acquire the unique certificate.
- The steps you'll perform on your Higher Logic site to import the certificate.
- Confirm you have your password and domain registration login information for your domain registrar.
- Purchase a website certificate for the domain you want secured from a certificate authority (this is typically the company that hosts your domain). Certificates are generally less than $300.00.
- Create a certificate request to submit to the certificate authority. This is typically done via Microsoft IIS (a module of Microsoft Windows) or a certificate request generation tool provided by the certificate authority. Your certificate authority will have a web page or tool to accept the certificate request.
- Following submission of the certificate request, you will generally receive a file of the type CRT or CER. If the certificate authority instead responds with text, save it as a text file with a CER extension. Be sure to include all text and headers provided by the certificate authority in the text file.
- Complete the certificate request using the file from the previous step (this is generally finalized in Microsoft IIS). The completion of the certificate request will install the certificate on the user's local machine.
- Export a .pfx file – find the certificate you just installed using IIS and export it. This requires creation of a password. Save this file to your local machine and note the password.
Higher Logic steps
Now that you've exported the .pfx file, it's time to import it on your Higher Logic site.
- Navigate to Admin > Pages > Sites > Domain Settings.
- Click the dropdown to the right of the page title and select Certificates.
- Click the plus symbol (+) to the right of the page title.
- Select Import your own certificate.
- Complete the fields:
- Name - Enter a name.
- Admin Email - Provide an email address where you want management notifications to be sent.
- Click Choose File and browse your local machine to select the .pfx file.
- Enter the password you annotated earlier in the Password field.
- Click Add to upload your file and close the dialog. The Private Key, Public Key, and Certificate Chain fields below will be filled in after upload.
- The system will automatically enable your uploaded certificate and assign it to the domain. This process will take approximately 20 to 30 minutes.
IMPORTANT: If you have an old or expired certificate associated to this domain, go ahead and delete it while the new certificate is processing. This will enable the system to automatically assign the new one after it has been processed.
Establish HTTPS security for a domain
- Click the dropdown to the right of the list title and select Certificate Assignments.
- Select a certificate in the list, followed by Change Schema.
- In the dialog, click the dropdown and select HTTPS.
- Click Change to apply the schema update.
The following are recommended actions to perform with an initial HTTPS schema update:
- Use the HTTP & HTTPS option initially to mitigate possible security issues.
- Review the sites using that domain for objects and references to HTTP. These will cause "unsecured" warnings that will disrupt user experiences. Embed code, image URLs, and external files referenced in page content and headers commonly need to be updated prior to committing to HTTPS.