1. CNAME records and subdomain delegation

Configure using your own certificates

This topic shows you how to use your own certificates to set up a domain delegation strategy, either by CNAME records or subdomain delegation. Search gives you a Certificate Signing Request (CSR) you can use to generate certificates.

This strategy usually requires more technical knowledge for setup and on-going management, and might increase the complexity of your deployment process. However, it also gives you flexibility and control over the certificate's source, type, and security features, which might be useful for an organization with specific security requirements.

Before you begin

Ensure that your domain's nickname follows standard DNS (Domain Name System) naming protocols. For example, the nickname must not have an underscore (_) or a period (.). To view your domain's nickname, go to Administration > General Settings > Domain Information > DOMAIN NICKNAME.

If you find that your domain's nickname has non-standard characters, contact a Sitecore Search representative to have it changed.

This is important because during domain delegation Search uses SSL certificates whose name contains domain nicknames. SSL certificates cannot have non-standard characters. If they do, they become invalid.

Caution

Use caution when modifying any settings in Administration > Domain Settings > Subdomain Setup. Your websites and applications that are in production can be impacted.

To configure domain delegation using your own certificates:

  1. On the menu bar, click Administration > Domain Settings > Subdomain Setup.

  2. To select a domain delegation strategy, click an option next to Subdomain Strategy.

    If you want to use CNAME records, click CNAME. If you want to use a subdomain delegation, click Delegation.

  3. To specify that you want to create your own SSL certificates, next to Certificate Creation, click Customer Created.

  4. To confirm your selection click Run Setup.

    The setup process can take up to ten minutes. If it's successful, you'll see a Setup Successful message and:

    • If you chose the CNAME record strategy, you'll see CNAME records and a Certificate Signing Request (CSR).

    • If you chose the subdomain delegation strategy, you'll see nameserver (NS) details a Certificate Signing Request (CSR).

    Note

    Running the setup process again after completion does not create new CNAME values.

    Note

    If the setup times out, retry the operation. If the timeout persists, contact Sitecore Support and provide the Search domain ID, the approximate timestamp of the attempt, the selected subdomain setup method, and a screenshot of the timeout message.

  5. Copy or download the CSR.

    Then, send the CSR to a commercial certificate authority (CA) to request a certificate. This procedure varies depending on who your CA is.

  6. To create a certification, send the CSR to a commercial certificate authority (CA). This procedure varies depending on who your CA is.

    You'll get a certificate and a certificate chain from your CA.

  7. To link your certificate with Search, go to Administration > Domain Settings > Subdomain Setup and paste the following details:

    • In the SSL CERTIFICATE field, paste the server (leaf) certificate issued for your Search subdomain.

    • In the CERTIFICATE CHAIN field, paste the certificate authority (CA) chain, including any required intermediate certificates.

    Note

    To renew or replace a customer-managed SSL certificate, repeat the certificate upload step using the updated certificate and certificate chain, and then click Run Completion.

    If you need to retrieve the CNAME records during renewal, click Run Setup. This returns the existing CNAME values.

  8. To copy the CNAME records or NS details, next to CNAME Details or Nameserver Details, click copy .

  9. Go to your DNS provider's administration console, add the CNAME records or NS details, and save your changes.

    This might take anything from a few hours to a day to complete.

  10. Verify that your CNAME record or NS details have been added to your DNS provider. To do this, you have two options:

    • Use https://dnschecker.org for CNAME records or subdomain delegation.

    • Use the host command in your local terminal.

      For CNAME records, use:

      $ host -t CNAME <yournickname>.rfk.<yourdomain>.com

      For subdomain delegation, use:

      $ host -t NS <yournickname>.rfk.<yourdomain>.com

      Here's a sample command to find NS records for the riggs.rfk.riggsandporter.com subdomain, followed by the results of that command:

      $ host -t NS riggs.rfk.riggsandporter.com
riggs.rfk.riggsandporter.com name server ns-1262.awsdns-29.org.
riggs.rfk.riggsandporter.com name server ns-1868.awsdns-41.co.uk.
riggs.rfk.riggsandporter.com server ns-450.awsdns-56.com.
riggs.rfk.riggsandporter.com server ns-709.awsdns-24.net.

  11. To verify that Search considers your CNAME items as added, go to Administration > Domain Settings > Subdomain Setup, and verify that you see green checkmarks next to the CNAME records or NS details.

    Important

    If you see red X next to the CNAME record or NS details, your items haven't yet been added yet or were added incorrectly. You'll need to troubleshoot this with your DNS provider before you continue.

  12. To complete domain delegation setup, click Run Completion.

    The setup process can take up to ten minutes.

    Note

    If the setup process is successful, you'll see a Setup Complete. Please see Domain Status tab for more details message. Now, you can retrieve the hosts and paths you need to access various Search services.

    Important

    If the setup process is unsuccessful, you'll see an error message similar to Failed to configure SSL certificate, please make sure the CNAME records have been added to your DNS configuration.

    If this occurs:

    • Verify that the CNAME records or nameserver (NS) details have been correctly added to your DNS provider.

    • Verify that the SSL certificate is valid for the generated Search subdomain.

    • Ensure that the certificate chain includes all required intermediate certificates.

    If you're unable to solve the issue with your DNS provider, contact Sitecore Search support and include your domain ID, the approximate time of the attempt, the certificate type, and a screenshot of the error.

If you have suggestions for improving this article, let us know!