DNS / Certificate instructions for Client Login sites

By default, the secure links for your client login area will be in the form https://e.bdphq.com/?<unguessable_string>

If you prefer, it is possible for the URLs to use your own domain name instead of bdphq.com, for example: https://clients.yourdomain.com/?<unguessable_string>

This article outlines what is required. Please note that BDP cannot complete the setup on your behalf and the person responsible for IT security in your organisation will need to manage this process.

DNS record

For your clients to access the Client Login site using an address in your domain, you’ll need to create a new DNS record. You’ll need to create a CNAME record for your domain, which should point to e.bdphq.com. For example, if your domain name is “yourdomain.com” and you want to use “clients.yourdomain.com” for your Client Login site, the record would look something like this:

clients.yourdomain.com. 86400 CNAME e.bdphq.com.

The numerical value may be different, depending on how your DNS is set up. If you’re unable to manage your firm’s DNS records yourself, please pass this task to your IT Department, Systems Administrator or external IT support firm.

Once your DNS record is set up, test it by pinging your chosen client login site’s name. Responses should come from e.bdphq.com.

HTTPS Certificate

In order to ensure that traffic between your client login site and its users is kept secure, we will need to acquire and install a server certificate (sometimes called an HTTPS certificate or SSL certificate) on the BDP server that will present the site. Certificates need to be purchased from a certification authority; there’s a list of a few vendors at the end of this section. Certificates also need to be renewed at regular intervals (usually between one and three years; you can specify this during the ordering process).

The process of generating, signing and issuing a certificate varies greatly, depending on which software and systems you’re using to do it, but it boils down to four parts:

1) Generating a certificate signing request (CSR):

You can generate a request with Microsoft IIS (instructions here), OpenSSL (instructions here), or a 3rd-party site like https://csrgenerator.com.

  • Your request will need to contain your company name/address information, as well as the name of the certificate.
  • The certificate’s name (or “common name”) will be the URL you intend your clients to use (clients.yourdomain.com, to continue the above example).
  • Be sure to keep the “private key” part of the request well secured; if you lose it, the certificate won’t be usable.
  • It’s not possible to change the common name of a certificate once it’s been issued, so make sure you’re happy with the name before you proceed.
  • It’s possible to generate a “wildcard” certificate that will be valid for ANYTHING ending in your domain name (e.g, yourdomain.com), but these are significantly more expensive than a regular single-name certificate.

The actual CSR will look something like:
-----BEGIN CERTIFICATE REQUEST-----
MIICwTCCAakCADB9MQswCQYDVQQGEwJVSzEYMBYGA1UEAxMPdG90ZXNub3RCRFAu
Y29tMREwDwYDVQQHEwhUaGF0IFlvdTERMA8GA1UEChMIQWN0dWFsbHkxFjAUBgNV
BAgTDUknbSBJbXByZXNzZWQxFjAUBgNVBAsUDURlY29kZWQgdGhpcyEwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw9liYGTsC2uSlyoL0+D+JU7tFFM0X
Xvqt+8pkKUFubnBy2fPC16lMhoWgpZs4s2tC56So+Gwtxs9GyOPcgq979W7FqbbF
qGWHclE+DHVmEvQo1c2BZsPiNpRcFGUKWmrQ/NEDGsNouaDUvog1iwXkq/HZqWjY
C/t2+rjEeLoDn2zKYf3Uxrc2hdYdOBumhMYOax+CRmTX8p8Ohy9/kLJL0Xk/Btkq
2KhrrNK4KyfdyHw+Wi74k/rikPYuXq5PAFqt2zKc7wy9dWD2jKD3ICoX4ioTUBwo
pgDxtjOI9X2cPOrXD/TmobVkdxUUIfZcFrNZg9+k+CB8+YzEbG4w/ijzAgMBAAGg
ADANBgkqhkiG9w0BAQsFAAOCAQEApsEkwpMDaK0brpnATmNVHcOJbvW23CleX3YE
672HLAlmdQkoi4KbrDOA3z5VHv2nrc2hu3p9d+qJOYDqk7qSkZTLEwTgi/MOdwpt
t04c5UBLafzGoeolY4hxLyEhWKURXGH7GZ+q0uyGpC4UrZLhGRXSNQPuiENNhU8y
EK8eMicgPJt8S6BakQD8dkHUB0LnPQKTpHyAMWBxTCm/JSk18qjzmAqKANQ+LK04
RoFNZcamDZZ8zBND/dcadaHtz3B7Cbfk1cWCit7p/IHbrpbR2fBVTjs6cCPV4eHs
+OgwY+FaBWAgtVafnriDaG1H4P3ExwSqXVPmDxBeKlZY2bboUA==
-----END CERTIFICATE REQUEST-----

2) Submitting the CSR for approval

During the enrollment process, you’ll be asked for several pieces of information about your company, in order to prove that you own the domain name that you’re requesting a certificate for. You may also be asked to prove domain ownership in other ways; using an email address in the specified domain or adding a special verification record to your DNS are two of the more popular techniques. Your certificate provider will be able to help with this part of the process.

After the verification is complete, your chosen certificate provider will issue you with a signed version of your certificate; this, along with the private key you created along with the CSR, make up the actual certificate.

You may be asked which format you would prefer for the signed certificate or which type of server it is to be installed on. The client login server, where the cert will be installed, is Apache but we can convert between formats so this shouldn’t really matter.

3) Transferring to BDP

Now that you have a valid, signed certificate for the domain name you want to use for your Client Login site, you’ll need to transfer it over to BDP, so that we can install it on your client login site. The safest and most secure way to transport the certificate and key (either as one file or two) is on physical media; CD/DVD or USB device are good options. Email should NOT be used, as it’s not reliably secure.

If you already have a suitable certificate, please contact BDP on 0845 117 1111 or help@bdphq.com to arrange the secure transfer of the certificate and private key. Please do not attach certificates or keys to any emails!

Other Information
=================

Some reputable certificate vendors:

SSL247
Comodo
GlobalSign
RapidSSL

If your organisation doesn’t have the in-house IT capacity to perform any of the steps listed above, and would like further information on how to proceed, please contact BDP on 0845 117 1111 or help@bdphq.com

 

Leave a Reply

Your email address will not be published. Required fields are marked *