MENU
    Set Up Qwilt-Managed Certificate Lifecycle Management
    • 08 Jan 2025
    • 3 Minutes to read

    Set Up Qwilt-Managed Certificate Lifecycle Management


    Article summary

    Follow the steps described in this article to set up a Qwilt-managed CSR workflow, allowing Qwilt to handle the entire certificate lifecycle including issuance and renewal, while keeping private keys secure. Note that Qwilt uses the Let's Encrypt Certificate Authority (CA).

    Step 1: Create a Certificate Template.

    Step 2: Configure a CNAME Record for Domain Verification.

    Step 3: Link the certificate to a site.

    From now on, Qwilt manages the entire CSR flow for renewals.

    Create a Certificate Template

    Create a template that defines the parameters for generating the certificate, including the common name and organization details.

    To create the certificate template:

    1. Login to QC Services.

    2. Open Media Delivery and navigate to Certificate Management.

      navigateToCertificateManagement4.png

    3. In the Certificate Management page, select Add Certificate.

    4. In the Add Certificate dialog, select Create Certificate Template.

    5. In the Create Certificate Template dialog, make sure that Managed by Qwilt is selected.

      managedByQwiltTop.png

    6. Define the template parameters.
      If your site configuration includes multiple hosts, the certificate must cover all HTTPS hosts configured for secured traffic.

      ParameterDescription
      Common NameThe primary domain the certificate will secure. Wildcards are allowed.
      Alternative Names (SANs)Currently SANs are not supported for Qwilt Managed templates. This is a temporary limitation.
      CountrySelect the country where the organization requesting the certificate is located.
      LocalityThe city or region of the organization.
      Organization NameThe legal name of the organization requesting the certificate.
    7. Select Create template. Note the Name and Value in the Template Successfully Created dialog that appears, or export them. You'll need these values to configure the CNAME record.

      newTemplateCreatedSuccessfully.png

      Initially, the new template appears in the list on the Certificate Templates tab, with the Pending Verification label.

      pendingVerification5.png

    8. Next, configure a CNAME Record. This step is performed outside of the Qwilt environment, and is your responsibility to manage.

    9. As soon as the CNAME record is available to Qwilt, the CSR is forwarded to the CA.

      When the signed certificate is returned to Qwilt from the CA, the Pending Verification label disappears, and the "Latest Certificate" details are displayed instead.

      managedByQwiltNewIcon1.png

    Configure a CNAME Record

    Create a CNAME record to allow Qwilt to verify domain ownership with the CA. This step is performed outside of the Qwilt environment, and is your responsibility to manage.

    When creating the CNAME record:

    • Specify the source and destination using the Qwilt provided Name and Value.
    • We recommend setting the TTL to a maximum of one day.

    If you did not already retrieve the Name and Value:

    1. Go to the Certificate Templates list. Initially, the template appears in the list with the Pending Verification status.

      DNSChallengeConfiguration3.png

    2. Hover over the Pending Verification label and then click the DNS Challenge Configuration link.

      DNSChallengeConfiguration4.png

      If the Unable to Generate label appears, hover over it to display the DNS Challenge Configuration button, then click the button to open the DNS Challenge Configuration dialog.
      hoverOverUnable2Gen.png

    Troubleshooting

    Once the CNAME record is created, Qwilt automatically sends the CSR to the CA. It will take approximately 30 - 60 minutes for the signed certificate to be issued by the CA and become available for use.

    Initially, the new template appears on the Certificate Templates tab with the Pending Verification label.

    If there is a failure at any point in the automated CSR process, the Unable to Generate label appears.
    Unable2Generate.png

    1. Hover over the Unable to Generate label to display the Retry Generate and DNS Challenge Configuration options.
      RetryGenerate.png
      • DNS Challenge Configuration - Displays the Name and Value required for the CNAME record.
      • Retry Generate - Restarts the CSR process.
    2. Verify that the CNAME record settings match the Name and Value displayed in the DNS Challenge Configuration dialog.
    3. Click Retry Generate. The template status returns to Pending Verification.
    4. If the Unable to Generate label appears again, please email us at support@qwilt.com.

    When the CSR process is completed successfully, the Pending Verification label is replaced by the "Latest Certificate" details, indicating the certificate is available for use.

    Once the signed certificate is available for use, you can link it to the site. This one-time setup step also establishes a link between the template and the site.

    From now on, Qwilt manages the entire CSR flow for renewals. Any new certificate generated from the template is automatically associated with the same site as the previous certificate generated from that template.

    Learn how to link the certificate to a site.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.