SSL certificate management in Arc XP

Arc XP manages a single SSL certificate per client with Akamai + Lets Encrypt, and all of the client’s domains will be on the same SSL certificate.

Begin by contact Arc XP Customer Support to associate a public domain that they own to an Arc XP Site ID from Site Service. As part of this manual request, an automated process kicks-off within Arc XP to add the requested domain to the Akamai configuration and to the client’s certificate.

After the domain has been added to the certificate then the client needs to verify proof of ownership. Verification must be provided within 7 days and can be done in two different ways:

Lets Encrypt certificates are auto-renewed every 60-90 days, or sooner based on Lets Encrypt owned logic. Renewal occurs without client involvement as long as all domain names on the certificate are pointed to the Arc XP provided destination.

Exceptions to this auto-renewal process:

In the case of an exception, Arc XP has internal monitoring in place to notify our teams in advance of the renewal date. If time allows Arc XP will attempt to notify the client of a missing renewal, otherwise Arc XP will take action to remove any un-verified domains from certificates before the certificate expires.

Arc XP supports clients providing their own certificate. In this model the client is responsible for initiating the renewal process. Arc XP may need to periodically request renewal within the expiration date as the platform offering changes.

How can I bring my own cert?

Start by opening a ticket with Arc Customer Support. You will need to provide:

Do not provide a signed certificate and CSR to Arc XP initially, Arc XP cannot import a CSR that was not generated by Arc XP and providing this information in the ticket is not a recommended security practice (remember your cert is your users primary protection against attackers and it should not be left exposed).

Once you have your ticket submitted a member of the Arc XP Delivery team will reach out through email to coordinate the signing. Arc XP will provide a signing request using a secure delivery method worked out ahead of time (PGP/GPG is preferred). As a client you can have any signing authority you desire sign the request. Arc XP suggests signing it for at least two years to prevent constant operational work to maintain the certificate.

Return the signed certificate along with any intermediate certificates to Arc XP using the secure delivery method previously used. Again, do not put the signed certificate in a ticket or an unencrypted email. Arc XP will install this certificate and then work with you to determine an implementation time. If you are not live yet Arc XP can implement it immediately, if you are already live we can work with you to schedule when the current certificate will be replaced if requested.

Other Constraints

Client provided certs are still subject to Arc XP’s secure content delivery practices:

When an organization is created in Arc XP there is an automated process to create the certificate for the client’s Arc XP Domain - {clientname . arcpublishing . com}. Certificates for the Private Arc XP domains utilize AWS Certificate Manager.

There are no responsibilities for the client for Private Arc XP Domain certificate creation or renewal.