Information:
Cloud Provisioning handle ordering of Blackboard provided custom SSL (non-.blackboard.com URLs) for SaaS Learn. The certificates are ordered via Amazon (Amazon Certificate Manager, ACM). This applies for:
- Any SaaS Learn customer (no purchase required), except Evals and clients in China*
Customer provided SSL certificates
Note:
- Requests to change *.blackboard.com URLs can be completed directly in CAPTain; adding CNAMEs can be done via JIRA to Ops
- SaaS certs include both *.blackboard.com and the custom URLs, so any blackboard.com URLs will continue working
- * China SaaS: We do not support Custom SSL in China. All sites have *.blackboard.com.cn URLs.
See the Frequently Asked Questions at the end of this page for answers to common questions.
Process for Bb-provided SSL
1. Determine URLs
Determine the desired URLs ahead of time, e.g. at least 2 weeks before needed.
- Determine the custom URL(s) the customer would like to use
- Wildcard URLs are supported and preferred (so ask this), e.g. *.clientname.edu will allow us to issue a certificate that can be used for any URL at .clientname.edu without updating the cert in future, and the same cert can be applied to Prod and to Test as needed.
- *.blackboard.com will be included by default on the certificate, so any blackboard.com URLs will continue working. No need to specially request this.
- Check if the client has CAA records, which you can test using http://caatest.co.uk , and if so the client needs to add the following as a CAA record in their DNS to allow us to issue the certificate: 0 issue "amazon.com"
- Proceed to Obtain SSL cert
2. Obtain SSL Cert
We as support will request the SSL certificate to be ordered when you have confirmed the desired URL
We will need to know
- Current URL: Specify the current URL of the SaaS site (typically blackboard.com)
- If the current URL(s) needs to be removed : In the case of a change from an existing custom URL to a new one, list the old URLs that will no longer be in use
- How the cert will be applied: Either, to be applied any time or, at specific time in the future
- Allow 3 business days for the process to be actioned.
We will order the new SSL URLs from Amazon (one cert per client typically), and update the client with DNS validation records for the client to create
3. Apply SSL/URL changes
Finally Support request to apply the SSL certificate and make URL configuration changes, when needed. The client must update their DNS to be a CNAME to the current blackboard.com URL
Frequently Asked Questions
Note: The ACM FAQ here has many general answers as well https://aws.amazon.com/certificate-manager/faqs/?nc1=h_ls#ACM_Public_Certificates
|
Question
|
Answer
|
|---|
| What are the DNS validation records for? |
The DNS CNAMEs pointing to acm-validations.aws allow you to confirm approval for the certificate being issued to Blackboard on behalf of Amazon. They only allow Blackboard to issue certificates to deploy on Learn SaaS environments. Both the Name (first part) and the Value (second part) contain unique strings tied to the specific request, which allows Amazon Certificate Manager to automatically validate and renew the certificate using DNS TXT records.
|
|
Do I need to keep the DNS record in place, what happens if I remove it?
|
Yes, the validation DNS records must be kept in place. If they are removed, the certificate will fail to renew which may cause the Learn site to have expired SSL
|
| The URL is currently in use pointing to my SH/MH Learn environment, is it safe to create the DNS validation records? | Yes, the validation records just indicate your approval for the certificate to be issued and renewed - this is entirely separate from any DNS record you already have to point the URL to your Learn environment |
| The DNS record you requested has a period (.) at the end of it, is that part of it? | Yes, it is standard that all DNS records end with a period (.). However some DNS systems will add this for you, check the resulting DNS record or your DNS server user guide. |
| Is any downtime required to update my certificate? |
No, updating the certificate is instant and requires no downtime. The previous *.blackboard.com URL will remain working too.
If you are changing the primary URL of the environment, we will also need to perform a rolling restart to update configuration but this can be scheduled at a separate time.
|
| My DNS server won't allow DNS records that start with an underscore, how do I proceed? | The Name (first part) must start with an underscore however you can omit the underscore from the Target (second part) of the CNAME record. |
| How can I check that I have entered the DNS record correctly? | Use an online tool such as http://digwebinterface.com and enter the first part (Name) of the DNS validation record. The result will confirm if this exists as a CNAME and you can also verify the Value (second part) matches. |
| My DNS Server uses different terminology and I am not sure which is the Name and which is the Value - can you help? |
Some DNS servers use alternative naming conventions, below are some examples
- Name: Alias, Canonical Name, CNAME
- Value: Target
|
