Cloudflare SSL for SaaS Providers

The adoption of SSL/TLS encryption for online organizations has become a security best practice, and is increasingly becoming a requirement due to pressures by large technology companies aspiring to build a safer Internet. For example, the Google Chrome web browser began visibly labeling websites not using HTTPS as “Not Secure” for their users at the end of 2016 1. In parallel, Mozilla’s FireFox web browser began issuing even graver warnings to users who attempt to submit information info forms not protected by HTTPS. 2

Cloudflare SSL for SaaS allows a SaaS company’s end customer to continue using a custom vanity domain, while securing its communication through SSL. End customer benefits include a branded visitor experience, improved trust, SEO rankings, and the ability to use HTTP/2 for greater speed improvements. Cloudflare automates the entire SSL lifecycle, from purchasing to deploying, and to renewing certificates, which is done in minutes, allowing SaaS companies to offer this benefit as part of their customer onboarding flow.

Talk to us!

There are three scenarios in which SaaS provider can find themselves in, when addressing SSL end customer needs:

Unencrypted but branded vanity domain

Custom vanity domains without SSL lack performance benefits of SSL and secure data transfer, making them vulnerable to snooping and content being modified or injected before reaching visitors.

Encrypted but unbranded domain

Domains which have SSL enabled through a SaaS provider lack a custom vanity domain, resulting in brand degradation and lower SEO rankings.

Challenging in-house approach

Saas providers who want encrypted branded vanity domains can either manually manage SSL lifecycles, resulting in long deployment times and overhead costs or build a complex automated in-house solution.

With SSL for SaaS we have implemented a simpler flow because Cloudflare’s API handles the provisioning, serving, automated renewal and maintenance of our customers’ SSL certificates. Plus, end-to-end HTTPS now means we have bolstered privacy and performance for our customers, and can leverage browser features, like Local Storage, that we couldn’t use before."
Andrew Murray
CTO of Olo

Ready to optimize the performance and security of your SaaS offering?

Get in touch with Cloudflare.

Cloudflare Argo avoids congestion

Branded Visitor Experiences

SaaS providers offering end customers the option of bringing a branded custom domain can continue to do so, while enjoying the added benefits of a fully managed SSL certificate. Branded domains offer end customers higher SEO rankings and improved visitor trust.

Cloudflare Argo reuses connections

Secure and Performant Customer Assets

SSL/TLS certificates on end customer domains ensure the secure transport of sensitive customer data, protecting against man-in-the-middle attacks and network snooping. Additionally, the HTTP/2 protocol becomes available for even greater speed improvements.

Cloudfare Argo works on Cloudflare's private network

Automated SSL Lifecycle Management

Cloudflare manages the entire SSL lifecycle for a SaaS provider’s customer vanity domain, from private key creation and protection through domain validation, issuance, renewal, and reissuance.

Cloudflare Argo tiered caching

Rapid Global SSL Deployments

During the SSL issuance process, Cloudflare deploys new certificates across its global network of 116 data centers, bringing HTTPS online within minutes, as close as possible to visitors.

Challenges of Building an In-House SSL Solution

There are two paths which can be taken in order to build an in-house SSL solution for custom vanity domains, both of which require extensive efforts for both the SaaS provider and end customer. The automated path (upper) in the below diagram automates the SSL process but requires ample engineering efforts and dealing with complex security challenges. The manual path (lower) requires efforts by both the SaaS provider teams and their end customers, with higher potential for missed certificate expiration deadlines and outages. Regardless which of these paths is chosen, it’s likely performance will suffer unless SSL certificates can be deployed on a large scale global distribution network.

HTTP-only CNAMEs Manually upload certificates Manually manage certificate lifecycles Build and train customer contact team Custom API integration (e.g. using Let’s Encrypt ) Time Engineering Effort Automated Path Manual Path As # of websites grows Global certificate distribution network Manual renewals with required customer effort Advanced challenges Securely handle encryption keys Ongoing maintenance and continued support efforts Cloudflare Path Easy Cloudflare API / UI integration

HTTP-only CNAMEs

Starting out, SaaS provider end customers are only sending and receiving HTTP traffic on their CNAME’d custom vanity domains.

How does SSL for SaaS work?

The SSL for SaaS process is entirely handled by Cloudflare, and only requires SaaS providers to send a single API call — or make a few clicks in the Cloudflare dashboard — as part of an end customer custom domain onboarding workflow. After which, SaaS provider end customers need only to add the initial CNAME into the SaaS provider’s domain. Cloudflare manages the rest of the custom domain onboarding process entirely.

The rest of this process is managed by Cloudflare and includes:

  • Requesting the certificate authority to validate the end customer’s custom domain for SSL certificate issuance.
  • Receive a validation token from the certificate authority and makes it accessible from Cloudflare’s edge.
  • Instructs the certificate authority to complete HTTP validation and then requests that the certificate authority issue SSL certificates.
  • Receive certificates and pushes them to Cloudflare’s network edge of 116+ data centers around the world, optimizing for latency and TLS performance.

Frequently Asked Questions

Q: How is my customers’ traffic sent to my origin? Is it secured?

A: Yes, Cloudflare encourages you to use the Full or Strict SSL mode so that traffic sent to your origin utilizes HTTPS. This option can be configured in the Crypto tab of your zone. If you’re using Strict mode, you must ensure that the certificates on your origin contain a Subject Alternative Names (SAN) that matches your customer’s hostname, e.g. support.yourcustomer.site. Our Origin CA product can be used to generate these certificates for use with Strict mode.

Q: How long does it take to issue a certificate and have it ready for use?

A: Certificates are typically validated, issued, and pushed to our edge within a few minutes. You are able to monitor progress through the various states—Initializing, Pending Validation, Pending Issuance, Pending Deployment, Active—by making a GET call.

$ curl -sXGET -H "X-Auth-Key: [YOUR KEY]" -H "X-Auth-Email: [YOUR EMAIL]" https://www.cloudflare.com/api/v4/zones/[ZONE ID]/custom_hostnames?hostname=support.yourcustomer.site
{
  "result": {
  "id": "cdc2a12a-99b3-48b8-9039-ad1b48c639e5",
  "hostname": "support.yourcustomer.site",
  "ssl": {
  "id": "3463325d-8116-48f3-ab4e-a75fb9727326",
  "type": "dv",
  "method": "http",
  "status": "active"
  }
},
  "success": true
}

Q: What about renewals or reissuances? Do I or my customers have to do anything?

A: No, Cloudflare take care of all of this for you. The certificates we issue are valid for one full year (365 days) and will be renewed automatically at least 30 days prior to expiration. These certificates are uniquely issued in your customer’s hostname and, so as long as the CNAME is still in place, we can continue to easily renew by demonstrating “domain validation control” of that hostname. If the customer has churned, we encourage you to send Cloudflare a DELETE request so Cloudflare can pull the certificate from the edge and not attempt to renew.

Q: What benefits of Cloudflare will my customers enjoy?

A: With the exception of protecting your customers’ DNS infrastructure (unless they’re also using Cloudflare for authoritative nameservice), the short answer is: all of them. Once their traffic is pointed to your white label hostname, Cloudflare is able to provide industry leading DDoS protection, CDN, WAF, HTTP/2, load balancing, and more.

Q: What if my customer is already using HTTPS on their custom hostname? Is there a way to avoid downtime while migrating?

A: In some cases, you may have already pieced together a solution internally based on customer provided key material. Or your customer is using their desired hostname with a competitor (or internal solution) that provides HTTPS and cannot tolerate a short maintenance window.

For these cases, we have extended the two alternative “pre-validation” methods available in Dedicated Certificates to our SSL for SaaS offering: email and CNAME. Simply change the SSL method in the API call above from “http” to “email” or “cname” and send the request. See the API documentation for more information.

The other alternative method, CNAME token, is typically used when you control DNS for the vanity names (some of our SaaS customers, especially those providing website building and hosting services, allow the custom domain to be registered as part of the workflow).

Lastly, you’re free to serve the HTTP token returned by the “http” validation method on your origin (instead of letting Cloudflare insert it during the reverse proxy) and our automated retry queue will detect it once it is in place. If you’d like to tell Cloudflare once it’s in place and have it retry immediately, you can always send a PATCH to the endpoint with the same SSL body as you sent during POST and we’ll immediately check for it.

Ready to optimize the performance and security of your SaaS offering?

Get in touch with Cloudflare.