Set Up Qwilt-Managed Certificate Lifecycle Management

  • Updated on Feb 12, 2025
  • Published on Dec 4, 2024
  • 3 minute(s) read

Follow the steps described in this article to set up a Qwilt-managed CSR workflow, allowing Qwilt to handle the entire certificate lifecycle including issuance and renewal, while keeping private keys secure. Note that Qwilt uses the Let's Encrypt Certificate Authority (CA).

Step 1: Create a Certificate Template.

Step 2: Configure a CNAME Record for Domain Verification.

Step 3: Link the certificate to a site.

From now on, Qwilt manages the entire CSR flow for renewals.

Create a Certificate Template

Create a template that defines the parameters for generating the certificate, including the common name, alternative names, and organization details.

To create the certificate template:

  1. Login to QC Services.

  2. Open Media Delivery and navigate to Certificate Management.

    navigateToCertificateManagement4.png

  3. In the Certificate Management page, select Add Certificate.

  4. In the Add Certificate dialog, select Create Certificate Template.

  5. In the Create Certificate Template dialog, make sure that Managed by Qwilt is selected.

    managedByQwiltTop.png

  6. Define the template parameters.
    If your site configuration includes multiple hosts, the certificate must cover all HTTPS hosts configured for secured traffic.

    Parameter Description
    Common Name The primary domain the certificate will secure. Wildcards are allowed.
    Alternative Names (SANs) Additional domains or subdomains the certificate will cover. Wildcards are allowed.

  7. Select Create template. Note the Name and Value in the Template Successfully Created dialog that appears, or export them. You'll need these values to configure the CNAME record.

    newTemplateCreatedSuccessfully.png

    Initially, the new template appears in the list on the Certificate Templates tab, with the Pending Verification label.

    pendingVerification5.png

  8. Next, configure a CNAME Record. This step is performed outside of the Qwilt environment, and is your responsibility to manage.

  9. As soon as the CNAME record is available to Qwilt, the CSR is forwarded to the CA.

    When the signed certificate is returned to Qwilt from the CA, the Pending Verification label disappears, and the "Latest Certificate" details are displayed instead.

    managedByQwiltNewIcon1.png

Configure a CNAME Record

Create a CNAME record to allow Qwilt to verify domain ownership with the CA. This step is performed outside of the Qwilt environment, and is your responsibility to manage.

When creating the CNAME record:

  • Specify the source and destination using the Qwilt provided Name and Value.
  • We recommend setting the TTL to a maximum of one day.

If you did not already retrieve the Name and Value:

  1. Go to the Certificate Templates list. Initially, the template appears in the list with the Pending Verification status.

    DNSChallengeConfiguration3.png

  2. Hover over the Pending Verification label and then click the DNS Challenge Configuration link.

    DNSChallengeConfiguration4.png

    If the Unable to Generate label appears, hover over it to display the three dots menu, open it, and then select the DNS Challenge Configuration to open the DNS Challenge Configuration dialog.
    hoverOverUnabletoGen1.png

Troubleshooting

Once the CNAME record is created, Qwilt automatically sends the CSR to the CA. It will take approximately 30 - 60 minutes for the signed certificate to be issued by the CA and become available for use.

Initially, the new template appears on the Certificate Templates tab with the Pending Verification label.

If there is a failure at any point in the automated CSR process, the Unable to Generate label appears.
Unable2Generate.png

  1. Hover over the Unable to Generate label to access the three dots menu with the Retry Generate and DNS Challenge Configuration options.
    3dotsmenu.png

    • DNS Challenge Configuration - Displays the Name and Value required for the CNAME record.
    • Retry Generate - Restarts the CSR process.

  2. Verify that the CNAME record settings match the Name and Value displayed in the DNS Challenge Configuration dialog.

  3. Click Retry Generate. The template status returns to Pending Verification.

  4. If the Unable to Generate label appears again, please email us at support@qwilt.com.

When the CSR process is completed successfully, the Pending Verification label is replaced by the "Latest Certificate" details, indicating the certificate is available for use.

Link the Certificate to a Site

Once the signed certificate is available for use, you can link it to the site. This one-time setup step also establishes a link between the template and the site.

From now on, Qwilt manages the entire CSR flow for renewals. Any new certificate generated from the template is automatically associated with the same site as the previous certificate generated from that template.

Learn how to link the certificate to a site.