Installing a Third-Party SSL Certificate

If you are on a Pro or Enterprise plan, you can install an SSL certificate from a third-party certificate issuer. This can be useful if you purchased a domain from a third party and want to apply their SSL certificate, or if you are planning to use a multi-domain or wildcard SSL.

For a third-party SSL certificate, you will need to generate a CSR (Certificate Signing Request) in BigCommerce, which will give the SSL certificate provider the necessary information to create a working SSL certificate.

If you're on a Standard or Plus plan, you can use the automatically enabled free SSL certificate or purchase one from BigCommerce.

You will need to generate a CSR (Certificate Signing Request) to provide your third-party certificate issuer before generating an SSL certificate. The CSR contains store and server information necessary for the SSL certificate to be installed successfully.

1. Log into your store as the Store Owner, and go to Settings › SSL certificates.

2. Click Generate a CSR.

3. Complete the required information, then click Generate CSR.

• Approver Email — the email address selected from the dropdown menu to approve the SSL request. You must have access to this email address to complete the SSL install process.
• Common Name (CN) — the fully qualified domain name you wish to secure (selected in Step 2)
• Organization Name (O) — usually the legal incorporated name of a company. It should include any suffixes, such as Ltd., Inc., or Corp.
• Organizational Unit (OU) — the department name (e.g. HR, Finance, IT)
• Locale (L) — city or town (e.g. Austin, San Francisco, Sydney)
• State/Province (S) — state, province, region, or county
• Country Code (C) — the two-letter ISO code for the country where your organization is located (e.g. US, CA, GB)

4. On the following page, you will be provided the CSR. Click anywhere in the box and copy the entire block of code, including the lines that contain -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----.

We'll also email the generated CSR to the Approver Email address. The message will have the subject line, A new CSR has been generated for your SSL certificate.

You can now generate your SSL certificate with your third-party provider, using the CSR from the previous section. If you've already received your SSL certificate before getting the CSR, reach out to your SSL certificate issuer for guidance on reissuing the SSL certificate.

1. Provide the certificate issuer with the CSR you copied in the previous step.

2. Use the following settings when downloading your SSL certificate:

• Server type - Apache or Apache Mod (HTTP)
• Hash - SHA-2 (SHA 256)
• Bit Strength - 4096-bit or 2048-bit

3. You will receive two files: the SSL certificate and a bundle containing the intermediate certificate. If you receive them combined in a zipped file, extract them on your computer before proceeding.

4. Open the certificates using a text editor, such as Notepad or TextEdit. You may need to launch the text editor first, then navigate to your certificate files. Copy the SSL certificate, including the lines that contain -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

5. In the BigCommerce control panel, go back to Settings › SSL certificates, then click Install a 3rd party SSL.

6. Paste your SSL Certificates into the appropriate fields. Ensure that there are no spaces before and after the dashes at the start and end of the certificate.

• SSL Certificate — the SSL certificate; it will not be labeled bundle, CA, or intermediate
• Intermediate Certificate — the SSL certificate that is labeled bundle, CA, or intermediate; may consist of multiple blocks of code.

7. Click Install SSL Certificate.

Your SSL certificate will take approximately 20 minutes to install. After this time, you can use the tools listed below to verify that it was properly installed.

Multi-domain and wildcard SSL certificates have the capacity to cover multiple domains or subdomains. As such, they can be very useful if you are running multiple stores or a single store with several sub-sites. Multi-domain SSL certificates will work with any domain name entered as the Common Name or SAN (Subject Alternative Name) when purchasing the SSL certificate.

Wildcard SSL certificates can be used for multiple subdomains of a single domain. For example, you could purchase a single wildcard SSL certificate to apply to www.domain.com, shop.domain.com, blog.domain.com, and so forth.

SSL certificates require a private key that matches the CSR used to generate them. BigCommerce does not provide private keys, and CSRs generated by BigCommerce cannot be used for a certificate that has a wildcard common name or a common name other than the domain/subdomain of the store. Therefore, when installing a multi-domain or wildcard SSL certificate, you will need to follow some additional steps to generate a private key beforehand.

1. Generate a CSR and private key using a CSR generator. Store the private key somewhere safe on your computer, and do not share it with anyone.

2. Provide the CSR to the certificate authority (CA) you purchased the wildcard SSL certificate from and have them reissue or regenerate the certificate. They will also provide you with an intermediate certificate.

3. In your BigCommerce store, go to Settings › SSL certificates. Select Install a 3rd party SSL.

4. Enter the SSL certificate, private key, and intermediate certificate provided by your certificate authority. Click Install SSL Certificate.

5. You should see a success message. If not, check for any extra spaces before and after the SSL certificate, private key, and intermediate certificate.

You can check your SSL using the following tools:

• SSL Shopper's SSL Checker - this tool will check that your domain is using a properly-installed SSL
• SSL Shopper's Certificate Decoder - this tool can help you check your SSL's information, such as its expiration date
• Why No Padlock? - this page checks individual secure URLs and provides specific security errors if it detects any problems

Why am I getting the error "Failed to provision the rate plan for the service."?

This will occur if the SSL Certificate you are installing was issued before a CSR was generated. Use the above steps to generate a new CSR, then reach out to your certificate issuer to reissue your SSL certificate. This can also occur if there are spaces before or after the dashes at the start and end of the certificate after pasting it into the SSL Certificate field.

If you continue to receive this error after these troubleshooting steps, please contact our support team.

Why am I getting the error "Cert is not valid for domain"?

When purchasing a third-party SSL certificate, your SSL provider will prompt you to enter the domain names to include in the certificate. The WWW version (www.domain.com) and non-WWW version (domain.com) must be included in order for the SSL certificate to install properly on your store.

If you need to enter the WWW and non-WWW versions of your domain after you generated a CSR for your certificate, regenerate the CSR before installing the certificate in your store.