Use Your Own SSL Certificate

We’ve now shipped the ability to verify custom domains with TXT records to all customers! With this feature a TXT record can now be used to verify ownership of a domain, which opens up new possible configurations for a Statuspage.

The most immediate advantage is that customers can now front Statuspage with a CDN like Cloudflare or Cloudfront. This offers a large number of additional features (another layer of caching, page rules, edge workers) but an immediate and easy to implement feature is adding custom SSL certificates.

The new frontier

Currently everyone has the ability to automatically provision free certificates after adding a custom domain to Statuspage. A free certificate that automatically renews is great, but there are additional limitations around which certificate can be used and how it can be configured.
For example, a lot of organizations need to secure all of their domains under one wildcard certificate. In a situation like this a CDN can be used to front Statuspage with a custom certificate. 

When proxying requests through a CDN the data flow between end users and Statuspage looks something like this:

End User <------------------> CDN <------------------> Statuspage

The End User views a page that is served by the CDN's servers. Once configured correctly the CDN should also serve a certificate that will encrypt traffic between their server and the End User's browser. 

The other side of this is when the CDN talks to Statuspage. The CDN (when not caching pages) sends requests to Statuspage to pull data. To keep the connection between the Statuspage and the CDN secure another SSL certificate is necessary. The flow with certificates included looks like this:

End User <------------------> CDN <------------------> Statuspage 
              CDN Cert               Statuspage Cert

The CDN provides the first certificate for the user, and the automatically provided Statuspage Certificate can be used to encrypt traffic between the CDN and Statuspage. This keeps everything secure, but the only visible certificate is the custom certificate uploaded to the CDN. 

Setting it up

The first step to start using a CDN with Statuspage (and serving a custom SSL certificate) is to add a custom domain. 

After this add the provided CNAME record to your DNS provider and verify your custom domain with the TXT record verification method.

After the domain is verified make sure to enable SSL as well:

1. Go to Your page > Customize page and emails.

2. Select the Customize status page tab.

3. Click Enable SSL.

This will provision the "Statuspage Cert" needed to encrypt traffic between your CDN and Statuspage. 

The last step is to go to your CDN provider and:

1. Ensure traffic is being proxied 
2. Upload a custom SSL certificate (Instructions for Cloudfront and  Cloudflare)

After these steps are completed, certificates have been provisioned, and DNS has propagated your Statuspage should now be serving the certificate you uploaded! Your Statuspage can now use the other benefits of your CDN to add more customizations to its behaviour.