Setting up BrandSSL

Easy to setup, simple to manage

How to secure custom domain names on BrandSSL

This is a guide on how BrandSSL can help companies set up fully-secured custom domain names for SaaS or e-commerce customers, without handling certificates or requiring any integration with external APIs.

The custom domain name problem in SaaS and E-commerce

A common problem for SaaS companies that provide B2B services is the offering of white-labeling with secured custom domain names for their customers. This problem also affects e-commerce companies that rely on white-labeled affiliates to sell their products through branded websites that they do not control.

  • In practice, this often looks like this:
  • Helppy is a SaaS company looking to provide helpdesk software to help customers support their customers
  • Vira is a client of Helppy
  • Vira wants to offer Helppy's helpdesk to it's customers via a custom domain at

Until recently, this solution was straightforward - Vira Company could just point a CNAME record for 'helpdesk' at Helppy's servers.

However, with the widespread requirement for secured, encrypted HTTPS connections, simply pointing a CNAME record is not enough - a certificate needs to be issued to protect the traffic running through to Helppy's server.

Until today Helppy's best bet was to ask Vira to CNAME over to their infrastructure, have Vira generate a private key and certificate signing request (CSR), send the latter to a CA for signing, and then securely provide Vira with the key material (and again upon renewal).

This is a problem for Helppy - there could be thousands of customers like Vira Company, and provisioning and handling of so many SSL certificates presents technical complexity, and the burden of maintenance is high—either for Helppy's customers or their engineering and support teams.

After facing this issue ourselves in several businesses, we decided a better solution could be offered - in this post, we'll be going over exactly how SaaS, e-commerce, helpdesks, and other B2B products could offer secured custom domain names to their customers through BrandSSL.

How BrandSSL works

BrandSSL is a globally distributed reverse proxy through which data to and from a website passes between the server and the customer's computer.

BrandSSL manages the entire SSL lifecycle for securing your customer's vanity domain name. A typical request to a website will pass through several 'tunnels' of this type, but BrandSSL is equipped with detection for insecure traffic, and scripts that run to automatically secure the traffic once it is detected. This functionality better known as "Certificate Provisioning" happens in conjunction with Let's encrypt, the worlds leading solution for SSL certificate issuance and Zero SSL.

Essentially, BrandSSL acts both as a monitor for insecure traffic and, once the traffic is secured, the tunnel through which it flows.

There are currently two modes of certificate provisioning in BrandSSL, "On Demand" and "API Call".

With BrandSSL's On Demand SSL provisioning, which is the default, every domain name pointed at your unique BrandSSL domain name gets automatically secured in seconds. The alternative being API Call requires you to send a post request with your API key to our server.

If you are keen to learn more about what’s under the hood at BrandSSL, check out the How it Works page for further information.

Setting up BrandSSL for SaaS

To begin using BrandSSL, you'll need to create an account via the signup page at

You'll be asked to select a plan as part of this process. You can find out more about our pricing on our pricing page

After signing up, you'll need to enter your application endpoint - the address of your app server. This is the end of the BrandSSL tunnel – the address to where traffic needs to be proxied. Note that you shouldn’t enter HTTP or HTTPS on this address.

Finally, you’ll need to enter the host which you’ll be using to point to the BrandSSL server. In our example above, this would be the address that Helppy would provide to Vira Company to point Vira Company’s custom domain at. Think of it as the entrance to the BrandSSL tunnel.

Click ‘Save’ and BrandSSL will validate and complete your setup.

You’re done! You can now have customers point their custom URLs (e.g. at your secure endpoint ( and BrandSSL will secure the connection automatically, proxying traffic onto your app’s endpoint (

Managing Custom URLs with BrandSSL

Once you’re inside, you’ll see that the admin interface offers a list of all of the secured domains attached to your account (screenshot deliberately blurred):

From the management screens, you can easily see whether a domain is secured or not, you can also delete any custom domains that you no longer wish to secure, by clicking the disable button.

You can further customize your app by adding custom headers, changing the on-demand settings, and retrieving your API key.

Performance and Reliability as a Standard

At BrandSSL reliability is a vital core of our services, understanding deeply the critical importance of seamless uptime. Our globally distributed infrastructure, is designed for ultra-reliability, ensuring we deliver the highest standard of SSL security and performance, every minute of the day.
Custom domain names secured
Of requests served daily
Service uptime


Have a question not covered here? Reach out to
All certificates are validated and issued within a few seconds
Yes, as long as the domain owner adds a DNS entry pointing to the service. Apex (root) and subdomains are secured automatically
Yes, with BrandSSL's Custom SSL feature, you can upload your own custom SSL certificates. Please refer to our API documentation for detailed instructions on how to upload, update, and remove your custom SSL certificates.
Yes, as part of signing up we will ask you to point a CNAME at our service. e.g. to a BrandSSL domain. The is what your clients will use and add to their DNS
No – While BrandSSL is provisioning the service we’ll send the traffic as http and then transition to https once the SSL certificate is in place.
BrandSSL will automatically renew and manage the SSL certificates
Still have unanswered questions? Get in touch