This is a guide on how BrandSSL can help companies set up fully-secured custom domain names for SaaS or e-commerce customers, without handling certificates or requiring any integration with external APIs.
The custom domain name problem in SaaS and E-commerce
A common problem for SaaS companies that provide B2B services is the offering of white-labeling with secured custom domain names for their customers. This problem also affects e-commerce companies that rely on white-labeled affiliates to sell their products through branded websites that they do not control.
In practice, this often looks like this:
Helppy is a SaaS company looking to provide helpdesk software to help customers support their customers
Vira is a client of Helppy
Vira wants to offer Helppy's helpdesk to its customers via a custom domain at helpdesk.vira.com
Until recently, this solution was straightforward - Vira Company could point a CNAME record for 'helpdesk' at Helppy's servers.
However, with the widespread requirement for secure, encrypted HTTPS connections, simply pointing a CNAME record is not enough - a certificate needs to be issued to protect the traffic running through to Helppy's server.
Until today, Helppy's best bet was to ask Vira to CNAME over to their infrastructure, have Vira generate a private key and certificate signing request (CSR), send the latter to a CA for signing, and then securely provide Vira with the key material (and again upon renewal).
This is a problem for Helppy—there could be thousands of customers like Vira Company, and provisioning and handling so many SSL certificates presents technical complexity. The burden of maintenance is high—either for Helppy's customers or their engineering and support teams.
After facing this issue ourselves in several businesses, we decided a better solution could be offered. In this post, we'll go over exactly how SaaS, e-commerce, helpdesks, and other B2B products could offer secured custom domain names to their customers through BrandSSL.
How BrandSSL works
BrandSSL is a globally distributed reverse proxy that handles SSL provisioning, renewals, and everything your engineering team needs to handle custom domains at scale.
BrandSSL manages the entire SSL lifecycle to secure your customer's vanity domain name. A typical request to a website will pass through several 'tunnels' of this type, but BrandSSL is equipped with detection for insecure traffic and scripts that run to automatically secure the traffic once it is detected. This functionality, better known as "Certificate Provisioning," happens in conjunction with Let's Encrypt, the world's leading solution for SSL certificate issuance and Zero SSL.
BrandSSL serves two essential functions: it monitors network traffic for insecure connections and provides a secure tunnel through which traffic can safely flow.
There are currently two modes of "Certificate Provisioning" in BrandSSL, "On Demand" and "API Call".
With BrandSSL's On Demand SSL provisioning, which is the default, every domain name pointed at your unique BrandSSL domain name gets automatically secured in seconds. The alternative is API Call, which requires sending a post request with your API key to our server.
If you are interested in learning more about what goes on at BrandSSL, check out our How it Works page.
Setting up BrandSSL for SaaS
To begin using BrandSSL, you'll need to create an account via our signup page at brandssl.io/register:
You'll be asked to select a plan as part of this process. You can find out more about our pricing on our pricing page
Note: If you really don’t want to select a plan to see how BrandSSL works, you can test the system by pointing a CNAME record of any domain at my.brandssl.io. You’ll be able to see how BrandSSL provisions a certificate automatically, hopefully giving you enough confidence to give the app a shot!
After signing up, you'll need to enter your application endpoint, which is the address of your app server. This is the end of the BrandSSL tunnel – the address to where traffic needs to be proxied. Note that you shouldn’t enter HTTP or HTTPS on this address.
Finally, you’ll need to enter the host which you’ll be using to point to the BrandSSL server. In our example above, this would be the address Helppy would provide to Vira Company to point to Vira Company’s custom domain. Think of it as the entrance to the BrandSSL tunnel.
Click ‘Save’, and BrandSSL will validate and complete your setup.
You’re done! Customers can now point their custom URLs (e.g., helpdesk.viracompany.com) at your secure endpoint (secure.helppy.com), and BrandSSL will secure the connection automatically, proxying traffic onto your app’s endpoint (secure.helppy.com).
Managing Custom URLs with BrandSSL
Once you’re inside, you’ll see that the admin interface offers a list of all of the secured domains attached to your account (screenshot deliberately blurred):
The simple BrandSSL management interface.
From the management screens, you can easily see whether a domain is secured or not. You can also delete any custom domains that you no longer wish to secure by clicking the disable button.
You can further customize your app by adding custom headers, selecting a default certificate authority, changing the on-demand settings, retrieving your API key, and more