Loading

B2C Commerce SSL Certificate Questions and Answers

Date de publication: Feb 9, 2026
Résolution

What is a SSL Certificate, and why do I need one?

SSL is an acronym for Secure Sockets Layer, an encryption technology. SSL creates an encrypted connection between your web server and your visitor's web browser, allowing for private information to be transmitted without the eavesdropping, data tampering, or message forgery.
 
Millions of online businesses use SSL protocol and certificates to secure their websites and to allow their customers to place trust in them. In order to use the SSL protocol, a web server requires an SSL certificate, which is provided by known CAs, or Certificate Authorities. Your customers won't trust your web site without an SSL certificate.
 
If you are transmitting sensitive information, such as credit card numbers or personal information, on a web site, you need to secure it with SSL encryption.
 
What type of certificate does B2C Commerce Cloud recommend for our platform?
B2C Commerce Cloud does not support self-signed certificates. We recommend that all Commerce Cloud customers purchase a SAN (Subject Alternate Name) or UCC (Unified Communications Certificate) SSL certificate if they have more than one site, if they plan a multi-site environment in the future, or if they plan to host more than one domain or sub-domain on a single site -- for example, a mobile version, or a micro-site.
 
Both SAN and UCC certificates give full control of the Subject Alternative Name field, so you can secure as few or as many hostnames as you would like with just one SSL certificate.

Why does B2C Commerce Cloud recommend a SAN certificate? Can we have just a single SSL certificate?
If you have multiple sites or domains, we recommend a SAN certificate that secures multiple hostnames, as it is easier to manage, and will come out to be cost-effective in the long run. If you only have one site, and know that there may not be any localized or multi-site for the business, a single SSL certificate should suffice. It is a business or management decision on your end as to what type of certificate to purchase.

Does B2C Commerce Cloud charge anything if we decide not to get a SAN, but we have multiple sites and want a single certificate for each?
No; however, uploaded custom certificates will be automatically grouped together into a Certificate Pack before being deployed to the global edge. A Certificate Pack is a group of certificates that share the same set of hostnames — for example, example.com and *.example.com — but that use different signature algorithms. Each pack can include up to three certificates, with one from each of the following signature algorithms:
  1. SHA-2/RSA
  2. SHA-2/ECDSA
  3. SHA-1/RSA
     
What CA (Certificate Authority) does B2C Commerce Cloud recommend?
B2C Commerce Cloud does not recommend specific CA vendors. It is the customer's decision as to which CA to choose from, and every CA has their own pricing and product options. Some are well known, and some are not. Some are more trusted or accepted by all browsers, and others are not. If you are selecting a CA for a SAN certificate and feel that maybe Verisign or Entrust are a little too expensive, there are other, less expensive options to consider, like GoDaddy and GeoTrust. It is your own business decision to make, as the Certificate Authority is visible to all your potential customers, and it is that CA that they are putting their trust in.
 
How do I verify the certificate I currently have installed is a SAN?
Navigate to your site/s on HTTPS and then click the padlock/icon in your browser to view the SSL certificate details. There, you will find a Subject Alternative Name extension that lists accepted domains.

You can also use the DigiCert SSL Installation Diagnostics Tool, or SSLShopper to review.
 
We don't know what type of certificate to purchase. What is the difference between a Single, SAN, and Wildcard certificate?
Single SSL Certificate
A single SSL certificate is used to secure just one domain/site, and is less costly then the SAN or wildcard; however, the limitation comes when you cannot secure more than one site. If you have multiple sites, a SAN or wildcard certificate would be an easier and more efficient option.

Wildcard
A wildcard certificate can secure an unlimited number of first-level subdomains on a single domain name. For example, you could get a wildcard certificate with *.yourdomain.com as the common name. This certificate would secure www.yourdomain.com, mail.yourdomain.com, secure.yourdomain.com, anything.yourdomain.com, etc. In other words, it will work on any sub-domain that replaces the wildcard character (*).

SAN (Subject Alternative Names)
This type of certificate allows you to specify a list of hostnames to be protected by a single SSL certificate. These hostnames don't have to follow any given pattern. One certificate can secure www.example.net, www.example.us, www.yourdomain.com, anything.yourdomain.us, etc.
 
How do I get the certificates installed for my site in B2C Commerce Cloud?
Please see the following article to install your certificate(s): Install a SSL Certificate on B2C Commerce

Can I install a self-signed certificate on my Staging or Development instances?
Commerce Cloud does not allow the installation of self-signed certificates for any of our instances.
 
Can we have multiple SSL certificates on our realm?
Yes. Each certificate will be added to associated zones in Business Manager in Embedded CDN Settings. You will then configure your DNS to point to the appropriate DNS CNAME listed for hostname covered.
 
What does a Certificate Authority require to provide a certificate?
When you are purchasing a CA-signed certificate, a Certificate Authority may ask for the server type and/or URL from which Salesforce connects.

Salesforce recommends having Apache as the server type. We also recommend asking the CA if they accept wildcard URLs for the connecting URL, since we can't really provide a single URL endpoint that Salesforce will call out from. The URL that should be used is: https://*.salesforce.com.

What about SSL on my Development instance and on sandboxes?
All Primary Instance Group (PIG) instances including Development and Staging support custom SSL certificates through Business Manager just like Production. For more information, see Install a SSL Certificate on B2C Commerce.

Sandboxes do not currently support custom SSL certificates, and serve only the *.demandware.net certificate.
 

Can we install our own SSL certificate on Staging?

Yes. Please see the Install a SSL Certificate on B2C Commerce article for more details.
 
Does Commerce Cloud monitor the expiration date of my certificate?
No. Commerce Cloud does not monitor the expiration date of the SSL certificates. It is the responsibility of each client to keep track of the expiration date.
 
The CA where the certificate was purchased, however, might offer a notification service.
 
My current certificate expires soon. When should I contact B2C Commerce Cloud Support?
No ticket should be necessary. You should replace your certificate as outlined in Update an eCDN Zone's Certificate.


Can I also use a SSL certificate for sandboxes?

No. B2C Commerce Cloud does not support custom SSL certificates on sandboxes.
 
We want to point mydomain.com and www.mydomain.com to our site. Can you advise which IP address we need to point these common names?
With the Embedded CDN, you will be provided a CDN alias to point your Fully Qualified Domain Name (FQDN) DNS CNAME record, rather than an A record pointing to a B2C Commerce Cloud IP address.
 
If my site is a "non-transactional" site with no purchase options, do I still need a certificate?
With the Embedded CDN, all sites will require an SSL certificate. If your site is non-transactional, you can opt to use basic, inexpensive, or free SSL certificate options available from a variety of Certificate Authorities. You may utilize eCDN managed certificates as well.
 
When renewing a certificate, do I need to open a case with Commerce Cloud Support? 
No. Renewing a certificate is completely self-service. Instructions and other helpful information can be found in Update an eCDN Zone's Certificate.


Are there any programmable alerts on the B2C platform to notify users of an expiring certificate?

No. As these are custom certificates that are being installed for your sites, these alerts must be managed off-platform. We suggest checking with your IT or admin team, since the Certificate Authority will usually notify the administrator that manages your organization's certificates of any upcoming expirations. 

 

Please note that eCDN managed certificates renew automatically.


If you have any further questions, please reach out to Salesforce B2C Commerce Cloud Support, and we will do our best to provide answers.

Numéro d’article de la base de connaissances

000391204

 
Chargement
Salesforce Help | Article