How to secure custom domain names on BrandSSL
The custom domain name problem in SaaS and E-commerce
A common problem for SaaS companies that provide B2B services is the offering of white-labeling with secured custom domain names for their customers. This problem also affects e-commerce companies that rely on white-labeled affiliates to sell their products through branded websites that they do not control.
- In practice, this often looks like this:
- Helppy is a SaaS company looking to provide helpdesk software to help customers support their customers
- Vira is a client of Helppy
- Vira wants to offer Helppy's helpdesk to it's customers via a custom domain at helpdesk.vira.com
Until recently, this solution was straightforward - Vira Company could just point a CNAME record for 'helpdesk' at Helppy's servers.
However, with the widespread requirement for secured, encrypted HTTPS connections, simply pointing a CNAME record is not enough - a certificate needs to be issued to protect the traffic running through to Helppy's server.
Until today Helppy's best bet was to ask Vira to CNAME over to their infrastructure, have Vira generate a private key and certificate signing request (CSR), send the latter to a CA for signing, and then securely provide Vira with the key material (and again upon renewal).
This is a problem for Helppy - there could be thousands of customers like Vira Company, and provisioning and handling of so many SSL certificates presents technical complexity, and the burden of maintenance is high—either for Helppy's customers or their engineering and support teams.
After facing this issue ourselves in several businesses, we decided a better solution could be offered - in this post, we'll be going over exactly how SaaS, e-commerce, helpdesks, and other B2B products could offer secured custom domain names to their customers through BrandSSL.
How BrandSSL works
BrandSSL is a globally distributed reverse proxy through which data to and from a website passes between the server and the customer's computer.
BrandSSL manages the entire SSL lifecycle for securing your customer's vanity domain name. A typical request to a website will pass through several 'tunnels' of this type, but BrandSSL is equipped with detection for insecure traffic, and scripts that run to automatically secure the traffic once it is detected. This functionality better known as "Certificate Provisioning" happens in conjunction with Let's encrypt, the worlds leading solution for SSL certificate issuance and Zero SSL.
Essentially, BrandSSL acts both as a monitor for insecure traffic and, once the traffic is secured, the tunnel through which it flows.
There are currently two modes of certificate provisioning in BrandSSL, "On Demand" and "API Call".
With BrandSSL's On Demand SSL provisioning, which is the default, every domain name pointed at your unique BrandSSL domain name gets automatically secured in seconds. The alternative being API Call requires you to send a post request with your API key to our server.
If you are keen to learn more about what’s under the hood at BrandSSL, check out the How it Works page for further information.
Setting up BrandSSL for SaaS
To begin using BrandSSL, you'll need to create an account via the signup page at www.brandssl.io/register
You'll be asked to select a plan as part of this process. You can find out more about our pricing on our pricing page
After signing up, you'll need to enter your application endpoint - the address of your app server. This is the end of the BrandSSL tunnel – the address to where traffic needs to be proxied. Note that you shouldn’t enter HTTP or HTTPS on this address.
Finally, you’ll need to enter the host which you’ll be using to point to the BrandSSL server. In our example above, this would be the address that Helppy would provide to Vira Company to point Vira Company’s custom domain at. Think of it as the entrance to the BrandSSL tunnel.
Click ‘Save’ and BrandSSL will validate and complete your setup.
You’re done! You can now have customers point their custom URLs (e.g. helpdesk.viracompany.com) at your secure endpoint (secure.helppy.com) and BrandSSL will secure the connection automatically, proxying traffic onto your app’s endpoint (secure.helppy.com).
Managing Custom URLs with BrandSSL
Once you’re inside, you’ll see that the admin interface offers a list of all of the secured domains attached to your account (screenshot deliberately blurred):
From the management screens, you can easily see whether a domain is secured or not, you can also delete any custom domains that you no longer wish to secure, by clicking the disable button.
You can further customize your app by adding custom headers, changing the on-demand settings, and retrieving your API key.
