Cloudflare SSL for SaaS Providers
The adoption of SSL/TLS encryption for online organizations has become a security best practice, and is increasingly becoming a requirement due to pressures by large technology companies aspiring to build a safer Internet. For example, the Google Chrome web browser began visibly labeling websites not using HTTPS as “Not Secure” for their users at the end of 20161. In parallel, Mozilla’s FireFox web browser began issuing even graver warnings to users who attempt to submit information info forms not protected by HTTPS.2
Cloudflare SSL for SaaS allows a SaaS company’s end customer to continue using a custom vanity domain, while securing its communication through SSL. End customer benefits include a branded visitor experience, improved trust, SEO rankings, and the ability to use HTTP/2 for greater speed improvements. Cloudflare automates the entire SSL lifecycle, from purchasing to deploying, and to renewing certificates, which is done in minutes, allowing SaaS companies to offer this benefit as part of their customer onboarding flow.
There are three scenarios in which SaaS provider can find themselves in, when addressing SSL end customer needs:
Unencrypted but branded vanity domain
Custom vanity domains without SSL lack performance benefits of SSL and secure data transfer, making them vulnerable to snooping and content being modified or injected before reaching visitors.
Encrypted but unbranded domain
Domains which have SSL enabled through a SaaS provider lack a custom vanity domain, resulting in brand degradation and lower SEO rankings.
Challenging in-house approach
Saas providers who want encrypted branded vanity domains can either manually manage SSL lifecycles, resulting in long deployment times and overhead costs or build a complex automated in-house solution.
CTO of Olo
Ready to optimize the performance and security of your SaaS offering?
Get in touch with Cloudflare.
Branded Visitor Experiences
SaaS providers offering end customers the option of bringing a branded custom domain can continue to do so, while enjoying the added benefits of a fully managed SSL certificate. Branded domains offer end customers higher SEO rankings and improved visitor trust.
Secure and Performant Customer Assets
SSL/TLS certificates on end customer domains ensure the secure transport of sensitive customer data, protecting against on-path attacker attacks and network snooping. Additionally, the HTTP/2 protocol becomes available for even greater speed improvements.
Automated SSL Lifecycle Management
Cloudflare manages the entire SSL lifecycle for a SaaS provider’s customer vanity domain, from private key creation and protection through domain validation, issuance, renewal, and reissuance.
Rapid Global SSL Deployments
During the SSL issuance process, Cloudflare deploys new certificates across its global network of data centers in 200 cities, bringing HTTPS online within minutes, as close as possible to visitors.
How does SSL for SaaS work?
The SSL for SaaS process is entirely handled by Cloudflare, and only requires SaaS providers to send a single API call — or make a few clicks in the Cloudflare dashboard — as part of an end customer custom domain onboarding workflow. After which, SaaS provider end customers need only to add the initial CNAME into the SaaS provider’s domain. Cloudflare manages the rest of the custom domain onboarding process entirely.
The rest of this process is managed by Cloudflare and includes:
- Requesting the certificate authority to validate the end customer’s custom domain for SSL certificate issuance.
- Receive a validation token from the certificate authority and makes it accessible from Cloudflare’s edge.
- Instructs the certificate authority to complete HTTP validation and then requests that the certificate authority issue SSL certificates.
- Receive certificates and pushes them to Cloudflare’s network edge of data centers in 200 cities around the world, optimizing for latency and TLS performance.
Frequently Asked Questions
Q: How is my customers’ traffic sent to my origin? Is it secured?
A: Yes, Cloudflare encourages you to use the Full or Strict SSL mode so that traffic sent to your origin utilizes HTTPS. This option can be configured in the Crypto tab of your zone. If you’re using Strict mode, you must ensure that the certificates on your origin contain a Subject Alternative Names (SAN) that matches your customer’s hostname, e.g. support.yourcustomer.site. Our Origin CA product can be used to generate these certificates for use with Strict mode.
Q: How long does it take to issue a certificate and have it ready for use?
A: Certificates are typically validated, issued, and pushed to our edge within a few minutes. You are able to monitor progress through the various states—Initializing, Pending Validation, Pending Issuance, Pending Deployment, Active—by making a GET call.
$ curl -sXGET -H "X-Auth-Key: [YOUR KEY]" -H "X-Auth-Email: [YOUR EMAIL]" https://www.cloudflare.com/api/v4/zones/[ZONE ID]/custom_hostnames?hostname=support.yourcustomer.site
{
"result": {
"id": "cdc2a12a-99b3-48b8-9039-ad1b48c639e5",
"hostname": "support.yourcustomer.site",
"ssl": {
"id": "3463325d-8116-48f3-ab4e-a75fb9727326",
"type": "dv",
"method": "http",
"status": "active"
}
},
"success": true
}
Q: What about renewals or reissuances? Do I or my customers have to do anything?
A: No, Cloudflare take care of all of this for you. The certificates we issue are valid for one full year (365 days) and will be renewed automatically at least 30 days prior to expiration. These certificates are uniquely issued in your customer’s hostname and, so as long as the CNAME is still in place, we can continue to easily renew by demonstrating “domain validation control” of that hostname. If the customer has churned, we encourage you to send Cloudflare a DELETE request so Cloudflare can pull the certificate from the edge and not attempt to renew.
Q: What benefits of Cloudflare will my customers enjoy?
A: With the exception of protecting your customers’ DNS infrastructure (unless they’re also using Cloudflare for authoritative nameservice), the short answer is: all of them. Once their traffic is pointed to your white label hostname, Cloudflare is able to provide industry leading DDoS protection, CDN, WAF, HTTP/2, load balancing, and more.
Q: What if my customer is already using HTTPS on their custom hostname? Is there a way to avoid downtime while migrating?
A: In some cases, you may have already pieced together a solution internally based on customer provided key material. Or your customer is using their desired hostname with a competitor (or internal solution) that provides HTTPS and cannot tolerate a short maintenance window.
For these cases, we have extended the two alternative “pre-validation” methods available in Dedicated Certificates to our SSL for SaaS offering: email and CNAME. Simply change the SSL method in the API call above from “http” to “email” or “cname” and send the request. See the API documentation for more information.
The other alternative method, CNAME token, is typically used when you control DNS for the vanity names (some of our SaaS customers, especially those providing website building and hosting services, allow the custom domain to be registered as part of the workflow).
Lastly, you’re free to serve the HTTP token returned by the “http” validation method on your origin (instead of letting Cloudflare insert it during the reverse proxy) and our automated retry queue will detect it once it is in place. If you’d like to tell Cloudflare once it’s in place and have it retry immediately, you can always send a PATCH to the endpoint with the same SSL body as you sent during POST and we’ll immediately check for it.
Ready to optimize the performance and security of your SaaS offering?
Get in touch with Cloudflare.