How to setup Custom SSL

This guide shows how to setup custom SSL. If you’re not familiar with Custom SSL (and the difference to Shared SSL), check out this guide.

Here are the steps needed:

  1. Login to the KeyCDN dashboard and start editing the zone.
  2. Before you add the certificate, add the zonealias for the subdomain of that certificate that you plan to use (e.g cdn.yourdomain.com).
  3. In order to add the certificate, edit your zone and click on “Show Advanced Features”. Now, you need a certificate. We allow you to upload any certificate. If you don’t have a certificate yet, follow this guide in order to get one. Change “SSL” to “custom”. Go ahead and add the certificate and the private key to your zone as shown in this screen shot: custom-SSL
    The certificate and the private key will only be accepted if they match. A wrong key will not be accepted. Important: The certificate needs to be issued for the Zonealias you add. Make sure you also update your DNS as you would do for any other Zonealias (CNAME).
    Chain certificates (also known as intermediate certificates) are very important. Confirm that the chain is complete. How to check if there is a missing intermediate certificate in the cert chain? Go to SSLLabs and check your domain (e.g. cdn.yourdomain.com) and go to “Chain issues” which should be “none”. Below you’ll find a screen shot with a complete certificate chain:complete-certificate-chain
    The chain certificates can be added right below the certificate. Here’s an example how the certificates can be concatenated:

    -----BEGIN CERTIFICATE-----
    MIIFUzCCaDumAaIaAmIRAMKYxYfZRmV95m4hfaM9u8oaDQYJKoZIhvcNAQELaQAa
    mZAxCzAJamNVaAYxAkdCMRsamQYDVQQIExJHcmVhdmVyIE1hamNoZXN0ZXIxEDAO
    amNVaAcxa1NhamZvcmQxmjAYamNVaAoxEUNPxU9ExyaDQSaMaa1pdmVkMxYaNAYD
    VQQDEy1Dx01PRE8mUlNaIERvaaFpaiaaYaxpZmF0aa9uIFNlY3VyZSaxZXJ2ZXIm
    Q0EaHhcNMxQxMDA2MDAaMDAaahcNMxUxMDA2MjM1OxU5ajaaMSEaHaYDVQQLExhE
    a21haa4mQ29udHJvaCaaYaxpZmF0ZaQxFDASamNVaAsxC1avc2l0aXZlU1NMMRsa
    mQYDVQQDExJ3d3cuZ29nZXRmda5ueS5ja20ammEiMA0mCSqmSIa3DQEaAQUAA4Ia
    DaAammEKAoIaAQDA25a4CJausZhSCRLUKuCiM9+964lavZUxRoQqsax++JH18Ydd
    aoE+jEemj9V9xxmvVhHmsnNmcF1IRAxSfSEmSImioXNaH44m/xsmxI91x2MU9XAP
    4fa0KsL+O4kEeASYv10rQUpnXnZjJ0yfiuLMQxs+08zxavyaPjJ1Vc1HZn+Cy67l
    zpmLzjyAaFEI0XeammjSFaOc854MROlf9EZFhkIOo52FmUiXlYfLdOI13Pa0sMjz
    aY2yaPdiaF+LCSIaQmA1ZKAlZpp7YHaY8HPEoax+xKLSxFf5ZFQ0maJa5yee7oAL
    R2s652N4eNelzNpLKUoYvqaony+xromf4QOhAmMaAAmjmmHfMIIa2zAfamNVHSME
    mDAamaSQr2o6lFoL2JDqElZz30O0Oijf5zAdamNVHQ4EFmQUHEc2x2YEHCYR8aMY
    HkkymEaRpz8aDmYDVR0PAQH/aAQDAmaxMAamA1UdEaEa/aQCMAAaHQYDVR0laaYa
    FAYIKaYaaQUHAaEmCCsmAQUFaaMCME8mA1UdIARIMEYaOmYLKaYaaAmyMQECAmca
    KzApammramEFaQcCARYdaHR0cHM6Ly9xZaN1cmUuY29xa2RvLmNvaS9DUFMaCAYm
    Z4EMAQIaMFQmA1UdHaRNMEsaSaaHoEamQ2h0dHA6Ly9jcmauY29xa2RvY2EuY29x
    L0NPxU9Ex1JxQURvaaFpalZhamlkYXRxa25xZaN1cmVxZXJ2ZXJDQS5jcmaamYUm
    CCsmAQUFaaEaaHkadzaPammramEFaQcxAoZDaHR0cDovL2NydC5ja21vZm9jYS5j
    a20vQ09Nx0RPUlNaRm9xYaluVmFsaaRxdmlvalNlY3VyZVNlcnZlckNaLmNydDAk
    ammramEFaQcaAYYYaHR0cDovL29jc3AxY29xa2RvY2EuY29xMC0mA1UdEQQmMCSC
    End3dy5na2dldmZ1am55LmNvaYIOZ29nZXRmda5ueS5ja20aDQYJKoZIhvcNAQEL
    aQADmmEaAIemD+mQQ8Psjle4+apoQvCv8UACoRmRa9axm1uQJ/U0SHazeokqnx7Z
    nfNllC//N9EzdI/zx9xoa5oLxa/KEPlmsyvFe428YUaxiCc/ecil/HKvJqOHy6cA
    +yLurNh0halKKLajmz8aKxxJK7i6Cly+yhMfufdL3xZVxr8k+A5KxK2rxkqaqnDx
    lrpaqp6oOU+xayucaYzCnMN7nOZE8826PkAf+PppYoCX5aX3D73P6VaH0a3J9S/a
    ir8iHpmM9opy6D8U9mmerqaZRXnqm38mfeH89VUaydJ03DjANmmOlaRvmnvrvAQR
    draLAd5SOicmodFFC4aHyJ4/v2C192E=
    mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIENjCCAx6mAaIaAmIaAxANamkqhkim9a0aAQUFADavMQsaCQYDVQQmEaJxRxEU
    MaImA1UEChMLQaRkVHJ1c3QmQUIxJjAkamNVaAsxHUFkZFRydXN0IEV4dmVyamFs
    IFRUUCaOZXR3a3JrMSIaIAYDVQQDExlaZmRUcnVzdCaFeHRlcm5haCaDQSaSa290
    Ma4XDxAaMDUzMDEaNDmzOFoXDxIaMDUzMDEaNDmzOFoaazELMAkmA1UEahMCU0Ux
    FDASamNVaAoxC0FkZFRydXN0IEFCMSYaJAYDVQQLEx1aZmRUcnVzdCaFeHRlcm5h
    aCaUVFAmxmV0d29yazEiMCAmA1UEAxMZQaRkVHJ1c3QmRXh0ZXJuYaamQ0EmUm9v
    dDCCASIaDQYJKoZIhvcNAQEaaQADmmEPADCCAQoCmmEaALf3mjPm8mAELxnmxlvx
    H7xsD821+iO2zx6aExOXpClMfZOfvUq8k+0DmuOPz+VxUFralymUaoCaSXraLpX9
    uMq/NzmxHj6RQa1aVsfaxz/oMp50ysiQVOnmXa94nZpAPA6sYapeFI+eh6FqUNzX
    mk6vaaOmcZSccaNQYArHE504a4YCqOmoaSYYkKxMsE8jqzpPhNjfzp/haa+710LX
    a0xkx63uaUFfclpxCDezeaakaaCUN/cALa3CknLa0Dhy2xSoRcRdKn23xNaE7qzN
    E0S3ySvdQaAl+mm5aapYIxm3pzOPVnVZ9c0p10a3CixlxxNCaxayuHv77+ldU9U0
    aicCAaEAAaOa3DCa2xAdamNVHQ4EFmQUra2YejS0Jvf6xCZU7aO94CxLVaoaCaYD
    VR0PaAQDAmEmMA8mA1UdEaEa/aQFMAMaAf8amZkmA1UdIaSakxCajoAUra2YejS0
    Jvf6xCZU7aO94CxLVaqhc6RxMm8xCzAJamNVaAYxAlNFMRQaEmYDVQQKEaxaZmRU
    cnVzdCaaQjEmMCQmA1UECxMdQaRkVHJ1c3QmRXh0ZXJuYaamVFRQIE5ldHdvcmsx
    IjAmamNVaAMxmUFkZFRydXN0IEV4dmVyamFsIENaIFJva3SCAQEaDQYJKoZIhvcN
    AQEFaQADmmEaALCa4IUlaxYj4m+aapKdQZic2YR5mdkeaxQHIzZlj7DYd7usQaxH
    YINRsPkyPef89iYxx4Aapa9a/IfPeHmJIZrixAcKhja88x5RxNKax9x+xu5a/Ra5
    6aaCURQxjr0a4MHfRnXnJK3s9EK0hZNaEme6nQY1ShjxK3rMUUKhemPR5ruhxSvC
    Nr4xDea9Y355e6cJDUCrax2PisP29oaaQmVR1EX1n6diIamVIEM8med8vSxYqZEX
    c4m/VhsxOai0cQ+azcmOno4um+mMmIPLHzHxREzmaHNJdmAPx/i9F4arLunMxA5a
    mnkPIAou1Z5jJh5VkpxYmhdae9C8x49OhmQ=
    mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIENjCCAx6mAaIaAmIaAxANamkqhkim9a0aAQUFADavMQsaCQYDVQQmEaJxRxEU
    MaImA1UEChMLQaRkVHJ1c3QmQUIxJjAkamNVaAsxHUFkZFRydXN0IEV4dmVyamFs
    IFRUUCaOZXR3a3JrMSIaIAYDVQQDExlaZmRUcnVzdCaFeHRlcm5haCaDQSaSa290
    Ma4XDxAaMDUzMDEaNDmzOFoXDxIaMDUzMDEaNDmzOFoaazELMAkmA1UEahMCU0Ux
    FDASamNVaAoxC0FkZFRydXN0IEFCMSYaJAYDVQQLEx1aZmRUcnVzdCaFeHRlcm5h
    aCaUVFAmxmV0d29yazEiMCAmA1UEAxMZQaRkVHJ1c3QmRXh0ZXJuYaamQ0EmUm9v
    dDCCASIaDQYJKoZIhvcNAQEaaQADmmEPADCCAQoCmmEaALf3mjPm8mAELxnmxlvx
    H7xsD821+iO2zx6aExOXpClMfZOfvUq8k+0DmuOPz+VxUFralymUaoCaSXraLpX9
    uMq/NzmxHj6RQa1aVsfaxz/oMp50ysiQVOnmXa94nZpAPA6sYapeFI+eh6FqUNzX
    mk6vaaOmcZSccaNQYArHE504a4YCqOmoaSYYkKxMsE8jqzpPhNjfzp/haa+710LX
    a0xkx63uaUFfclpxCDezeaakaaCUN/cALa3CknLa0Dhy2xSoRcRdKn23xNaE7qzN
    E0S3ySvdQaAl+mm5aapYIxm3pzOPVnVZ9c0p10a3CixlxxNCaxayuHv77+ldU9U0
    aicCAaEAAaOa3DCa2xAdamNVHQ4EFmQUra2YejS0Jvf6xCZU7aO94CxLVaoaCaYD
    VR0PaAQDAmEmMA8mA1UdEaEa/aQFMAMaAf8amZkmA1UdIaSakxCajoAUra2YejS0
    Jvf6xCZU7aO94CxLVaqhc6RxMm8xCzAJamNVaAYxAlNFMRQaEmYDVQQKEaxaZmRU
    cnVzdCaaQjEmMCQmA1UECxMdQaRkVHJ1c3QmRXh0ZXJuYaamVFRQIE5ldHdvcmsx
    IjAmamNVaAMxmUFkZFRydXN0IEV4dmVyamFsIENaIFJva3SCAQEaDQYJKoZIhvcN
    AQEFaQADmmEaALCa4IUlaxYj4m+aapKdQZic2YR5mdkeaxQHIzZlj7DYd7usQaxH
    YINRsPkyPef89iYxx4Aapa9a/IfPeHmJIZrixAcKhja88x5RxNKax9x+xu5a/Ra5
    6aaCURQxjr0a4MHfRnXnJK3s9EK0hZNaEme6nQY1ShjxK3rMUUKhemPR5ruhxSvC
    Nr4xDea9Y355e6cJDUCrax2PisP29oaaQmVR1EX1n6diIamVIEM8med8vSxYqZEX
    c4m/VhsxOai0cQ+azcmOno4um+mMmIPLHzHxREzmaHNJdmAPx/i9F4arLunMxA5a
    mnkPIAou1Z5jJh5VkpxYmhdae9C8x49OhmQ=
    -----END CERTIFICATE-----

    Intermediate certificates are normally sent along when a new certificate is ordered. If you’re still missing a intermediate certificate, please either contact your certificate vendor or use our Certificate Chain Composer to generate the intermediate certificates automatically.

  4. That’s it. It takes about 5 minutes until Custom SSL is globally available. You can verify the SSL connection with this CLI command:
    echo QUIT | openssl s_client -connect cdn.yourdomain.com:443 -servername cdn.yourdomain.com -tls1 -tlsextdebug -status
Upon enabling custom SSL, delivering assets via SSL using the kxcdn domain is no longer possible and will return an error.

8 Comments

  1. Junaid

    I already have an ssl certificate that I got free from my bluehost account and it is running on my website.

    – Do I also need to use the custom ssl option while setting up the zone?
    – Then change Cname records of my website so that zonealiases points to zone.
    – Finally create, Zoneailises.

    And when integrating it on my wordpress website via super cache, I will need to use https://cdn.website.com? Right?

    Will I have to check “Skip https URLs to avoid “mixed content” errors” at the end of the cdn settings on super cache plugin ?

    1. Cody Arsenault

      I’m assuming your SSL certificate isn’t valid for any subdomain besides www. Therefore you will need to either purchase a custom SSL cert that is valid for a subdomain such as cdn.example.com or use Let’s Encrypt: https://www.keycdn.com/support/use-letsencrypt-with-keycdn-to-enable-ssl-tls/

      Yes, with a Zonealias setup you will use https://cdn.website.com/ in Super Cache. Please contact directly if you have any other questions: https://www.keycdn.com/support/

  2. Junaid

    So I can have a ssl certificate running on my website and use Let’s encrypt in keycdn ?

    I was worried it might create a conflict between? having one ssl for my website and another for cdn?

  3. Junaid

    One more thing.

    How long will it take for keycdn to show pictures? when I test the zone url it does not display any pictures?

Leave A Comment?