SSL Certificates

Secure your zones with free automatic SSL certificates.

Overview

NordicCDN provides free SSL certificates for all zones, powered by Let's Encrypt. Certificates are automatically provisioned and renewed.

Default SSL

CDN Hostname

Your default CDN hostname (abc123.cdn.nordiccdn.com) is automatically covered by our wildcard certificate. No configuration needed.

Custom Domains

When you add a custom domain, we automatically provision a dedicated SSL certificate:

  1. Add your custom domain
  2. Configure DNS (CNAME to your CDN hostname)
  3. Certificate is issued automatically (1-5 minutes)
  4. Auto-renewal happens before expiration

HTTPS Configuration

Force HTTPS

Redirect all HTTP traffic to HTTPS:

  1. Go to zone settings
  2. Enable "Force HTTPS"
  3. All HTTP requests will 301 redirect to HTTPS

HSTS (HTTP Strict Transport Security)

Tell browsers to always use HTTPS:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Enable in zone settings under Security headers.

TLS Versions

NordicCDN supports:

Version Status
TLS 1.3 Enabled (preferred)
TLS 1.2 Enabled
TLS 1.1 Disabled
TLS 1.0 Disabled
SSL 3.0 Disabled

Older versions are disabled for security.

Certificate Details

Let's Encrypt Certificates

  • Validity: 90 days
  • Renewal: Automatic at 30 days before expiry
  • Type: Domain Validated (DV)
  • Key Size: 2048-bit RSA or ECDSA P-256

Wildcard Certificates

Our wildcard certificate covers:

  • *.cdn.nordiccdn.com
  • All default zone hostnames

Troubleshooting

Certificate Not Issued

If your custom domain doesn't get a certificate:

  1. Check DNS: Verify CNAME points to your CDN hostname

    dig cdn.yourdomain.com CNAME

  2. Wait for propagation: DNS changes can take up to 48 hours

  3. Check domain: Ensure the domain is valid and resolves

Certificate Expired

Certificates renew automatically. If one expires:

  1. Check if the domain is still active
  2. Verify DNS still points to NordicCDN
  3. Contact support if the issue persists

SSL Error in Browser

If visitors see certificate errors:

  1. Wrong domain: Check you're accessing the correct hostname
  2. Mixed content: Ensure all resources use HTTPS
  3. Clock issues: Visitor's system clock may be wrong
  4. Browser cache: Clear browser cache and try again

Mixed Content

Mixed content occurs when HTTPS pages load HTTP resources:

<!-- This causes mixed content warning -->
<img src="http://example.com/image.jpg">

<!-- Use HTTPS instead -->
<img src="https://example.com/image.jpg">

<!-- Or protocol-relative URLs -->
<img src="//example.com/image.jpg">

Finding Mixed Content

Check browser console for mixed content warnings:

Mixed Content: The page was loaded over HTTPS, but requested an insecure image

Fixing Mixed Content

  1. Update all resource URLs to HTTPS
  2. Use Content-Security-Policy header to enforce: 
    Content-Security-Policy: upgrade-insecure-requests

Origin SSL

Connecting to HTTPS Origins

When your origin uses HTTPS, we verify its certificate by default.

Self-Signed Origins

If your origin uses a self-signed certificate:

  1. Contact support to enable certificate bypass for your zone
  2. We recommend using a valid certificate on your origin

HTTP Origins

You can use an HTTP origin with an HTTPS CDN:

Visitor → HTTPS → CDN → HTTP → Origin

The visitor connection is secure; the origin connection is internal.

Best Practices

1. Always Use HTTPS

Enable HTTPS for all zones. There's no reason not to with free certificates.

2. Enable HSTS

After verifying HTTPS works, enable HSTS to prevent downgrade attacks.

3. Update Internal Links

Ensure your site generates HTTPS URLs:

// Laravel
config(['app.url' => 'https://yourdomain.com']);

// WordPress
define('WP_HOME', 'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');

4. Monitor Certificate Status

Check your zones periodically to ensure certificates are valid.