FAQ content

Using your own SSL certificate for a custom domain name

In this article

To manage the certificates domain names of your LibApps sites, go to Admin > Domains and Certificates.

Navigating to the Domains and Certificates page


How do I know if a site has a custom domain name?

The domain names of LibGuides, LibAnswers, and LibCal sites can be customized. If your own site's domain name does not end with any of the following, then you have a custom domain name:

  • libguides.com
  • libanswers.com
  • libcal.com

Since your custom domain name will not end in the above Springshare-owned domain names, it will require its own security certificate. We provide a couple of options:


Using a Springshare-managed certificate from Let's Encrypt (recommended)

When you save a new domain name for a LibGuides, LibAnswers, or LibCal site, we'll automatically obtain and install a free Let’s Encrypt certificate for your system. This will ensure that there is no interruption in the ability to access your site over a secure HTTPS connection.

  • Please allow one business day for our automated process to obtain, install, and activate your Let's Encrypt certificate.
  • Let's Encrypt certificates will also cover the www. version of your custom domain name.
  • If your site is currently using a certificate that you provided and it is approaching its expiration date or removed, we will attempt to automatically replace it with a Let's Encrypt certificate one week prior to the certificate's expiration to ensure no loss in HTTPS coverage.
    • If there is a CAA record in place for your domain, your IT staff may need to make changes before we can request and renew certificates for you. Learn more...
  • Springshare will automatically take care of renewing your certificates prior to their expiration dates.

Are you setting up a new custom domain name for your site? Please note that your domain change will not take effect until the certificate has been installed. Once the security certificate has been installed, we will make the domain change, and you will be able to access your site from your new, custom domain name. Until then, your old domain name will remain active to ensure no loss in HTTPS coverage.

Want to switch to a Let's Encrypt certificate for your custom domain? No problem! If you'd prefer to switch to a Let's Encrypt certificate managed by Springshare, simply let your current certificate expire. As it approaches its expiration date, we'll automatically replace it with a Let's Encrypt certificate to ensure no loss of HTTPS coverage.


Using your own certificate

If you would prefer to obtain, upload, and maintain your own certificate, you have a couple of options:

Before uploading your certificate, please note the following

  • You will need a certificate for NGINX in the x509 format​.
  • LibApps does support wildcard and SAN certificates. Please see the instructions below for uploading certificate files.
  • If you have intermediate CA certificates, you can chain them into a single CRT, then upload that to LibApps. The certificate for your domain is located at the top of the CRT file, followed by one or more intermediate certificates. If your CA provides multiple intermediate certificates, they should tell you the proper order to include them inside the single "combined" certificate.
  • If your certificate is issued by InCommon, please see the section below for important information.
  • If your certificate is issued by DigiCert, check out their blog post on how to find your private key.
  • We do not support KEY files protected by a passphrase, or .pfx files.
  • You will be responsible for renewing and maintaining your SSL certificate.

Option 1. Generate a CSR to obtain, upload, and install your own certificate

To enable HTTPS for a site using a custom domain name, you will need to work with your IT staff to obtain a security certificate using a Certificate Signing Request from LibApps. The following steps will guide you through the process:

  1. Click on your site's Manage HTTPS () icon in the Actions column.

Screenshot of the Manage HTTPS icon

  1. Under the Your Certificate tab, you will see an alert letting you know the status of your domain name and certificate.
    • If you do not see a confirmation that your domain is pointing to the correct endpoint, please update your custom domain's CNAME records before continuing.
  2. Click on the Generate and Download Certificate Signing Request & Private Key panel to expand it.
  3. Complete the provided form to generate a new Certificate Signing Request (CSR).
  4. Click the Generate and Download CSR & Key button. A zip file containing your CSR and KEY will be be downloaded.
    • Provide the CSR to your Certificate Authority (CA) when requesting your security certificate (CRT). You will need a certificate for NGINX in the x509 format​.
    • If you subsequently need to change the information in your CSR, return to this page and repeat Steps 1-5 to generate and download a new CSR and KEY.

Generating and downloading a CRT and KEY

  1. Once you have obtained your CRT, return to this page and click on the Upload Certificate Files panel to expand it. 
  2. Click on the Upload CRT and Upload KEY buttons to upload your CRT and KEY files to our server. Once the files have been uploaded, your certificate will be installed within one business day. We'll send you an email notification once it's ready to go. :)
    • As a courtesy, admins will receive an email notification when your site's certificate is within 60 days of expiration.
    • If your certificate is not replaced by the week prior to its expiration date, we will automatically replace it with a free Let's Encrypt certificate that is managed by Springshare.

Uploading a CRT and key 

Option 2. If you have an existing KEY & CRT pair (including wildcard & SAN certificates)

  1. Click on your site's Manage HTTPS () icon in the Actions column.

Screenshot of the Manage HTTPS icon

  1. Under the Your Certificate tab, you will see an alert letting you know the status of your domain name and certificate.
    • If you do not see a confirmation that your domain is pointing to the correct endpoint, please update your custom domain's CNAME records before continuing.
  2. Click on the Upload Certificate Files panel to expand it. Make sure your certificate is for NGINX in the x509 format​.
  3. Click on the Upload CRT and Upload KEY buttons to upload your CRT and KEY files to our server.
    • Note: we do not support KEY files protected by a passphrase, or .pfx files.
    • Once the files have been uploaded, your certificate will be installed within one business day. We'll send you an email notification once it's ready to go. :)
    • As a courtesy, admins will receive an email notification when your site's certificate is within 60 days of expiration.
    • If your certificate is not replaced by the week prior to its expiration date, we will automatically replace it with a free Let's Encrypt certificate that is managed by Springshare.

Uploading a CRT and KEY

Important notes about InCommon certificates

To use InCommon certificates, you must concatenate the domain-specific certificate with the intermediate and root certificates, in a specific order.

To ensure your certificates are in the correct order, please do the following:

  1. Log into the InCommon Certificate Manager.
  2. Download "x509 Base64 Certificate Only".

Example of download InCommon certificates

  1. Download "x509 Base64 Intermediates Only Reverse".
  2. Open both files in a text editor like Notepad.
  3. Copy the contents of the "x509 Base64 Intermediates Only Reverse" file and paste it to the end of the "Certificate Only" file.
  4. Save the file as a new .CRT file. 

When finished, your certificates should be in an order such as this:

  • Site certificate (X509 Certificate only) 
  • Inter 2 - InCommonRSAServerCA_2 
  • Inter 1 - USERTrustRSAAddTrustCA 
  • Trust - AddTrustExternalCARoot.

Maintaining your own SSL certificate

When a certificate you uploaded is within 60 days of expiring, LibApps will automatically send a renewal reminder email to the user who originally uploaded it. To replace your existing certificate, simply upload a new one following the same steps above. Your new certificate will be installed within 1 business day, replacing the current one automatically.

If you do nothing and your SSL certificate is approaching its expiration date, we will automatically attempt to replace it with a free Let's Encrypt certificate at no cost to you (important note about CAA records for Let's Encrypt certificates). This is to prevent the loss of HTTPS coverage for your site.