SSL Setup Process for custom domains
If you'd like to offer the site under a custom domain, the following steps are taken:
- The City provides OpenCounter with the list of CNAME subdomains they would like to configure, and which portals each subdomain points to.
- OpenCounter provides the City with a Certificate Signing Request (CSR) for each subdomain. These are needed in the next step.
- City purchases an SSL certificate for each of the desired subdomains (e.g. https://permits.cityname.gov) and sends us the certificate file(s) by uploading them to Basecamp or using Firefox Send. Please do not send these via email.
- OpenCounter installs the City's SSL certificate on the hosting platform.
- OpenCounter sends City the SSL URL generated by the hosting platform.
- City creates a CNAME record (on their Domain Name System (DNS)) for the desired subdomain (e.g. permits.cityname.gov) and points the CNAME record to the provided URL. Ensure that you add the CNAME record to both your external/public-facing DNS, as well as your internal DNS (i.e. the City network).
- OpenCounter adds the City's subdomain URL to the list of supported domains.
- OpenCounter adds the City's subdomain URL to backend configuration.
In order to ensure the security of your applicants' information, custom domains must support HTTPS access, so we require that all custom domains be protected with an SSL certificate.
Types of SSL certificates:
- If you have an existing wildcard certificate for your City's website, we recommend generating the SSL certificate(s) as a SAN (Subject Alternative Name) certificate.
- Otherwise, we recommend using a single subdomain certificate for each subdomain. (If you use an existing wildcard certificate without SAN, you will need to provide sensitive security information as we upload the wildcard certificate to our hosting provider.)
- The basic level certificate provides sufficient security for OpenCounter. We recommend using an EV (Extended Validation) certificate, but while domain and organizational validations are nice, they are not necessary.
- In the process of purchasing a certificate, you may be asked to select a webserver to create the certificate for. If this occurs, select Nginx (Heroku), or, if Nginx is not an option, select Apache 2.x.
- If you are given an option of what certificate format to use, select X.509.
After setup, if you cannot access the CNAME domain on a computer or phone connected to the City's network / internet, but you can connect from home or from a phone using a cellular connection (WiFi turned off), that means the DNS record has not been added to the internal DNS. To fix this, ensure that the DNS record is added to the City's internal DNS system.
CNAME vs Redirect / URL Forwarding
Since we are committed to keeping your applicants' data secure, we require that all custom domains use SSL to encrypt data sent from the browser to our servers. Redirects and URL forwarding aren't able to keep data safe the same way that a custom domain set up with a CNAME can.
Renewing your CNAME
When it's time to renew your CNAME, an OpenCounter project manager will reach out to begin the process. The renewal process is a truncated version of the steps above, usually requiring steps 2-6.