The SSL is an important security feature of your candidate portal and it is mandatory that your Eploy candidate portal has a valid SSL to make the site secure. It ensures your candidate portal is secure as well as giving candidates peace of mind over the security of the information they provide.
You can manage the renewal of your SSL within your Eploy system, helping to ensure the website is always secure.
Hint - When viewing your domain, the SSL drives the S in HTTPS. If this isn't in place, the browser will show your website as non-secure.
If you are using a root domain or a subdomain, there are two options available for SSLs for your Eploy system:
- Provide your own custom SSL
- Use Let’s Encrypt (via Eploy)
If your Eploy candidate portal will run in a subfolder, there must also be a valid SSL applied to the root domain for the site. Eploy will not be able to set any Candidate Portal live if there is no valid SSL for the domain.
SSL/Domain Information in Eploy
To manage your SSL, select Admin - Security Settings - SSL / Domain Information from the blue Eploy menu.
You will need the User Security Settings Permission to see this module.
From here, you will be able to review any SSLs that you currently have in place, as well as any domains that are associated with your system. You will also have access to the expiry date and any other relevant information.
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
You can find out more about how Let’s Encrypt on their website: https://letsencrypt.org/
How does Let’s Encrypt work with Eploy?
If you don’t have a requirement to use your own custom SSL, your Eploy system can automatically use a certificate issued by Let’s Encrypt. If a valid custom SSL is not uploaded to your system for your domain, a Let’s Encrypt certificate will automatically be generated and applied to the system when it is set live. Your own custom SSL will always take precedent, with Let’s Encrypt as the ‘back up’. This option is fully automated and requires no manual intervention from Eploy or from you as the customer.
Let’s Encrypt as a Fail over
If you do use a custom SSL, your Eploy system will automatically fail over to Let’s Encrypt if your custom certificate expires and a valid new one has not been uploaded to your system.
You can upload a new custom certificate at any time and this will be applied (and replaces the Let’s Encrypt certificate).
As the services provided by Let’s Encrypt are outside of Eploy’s control, we cannot guarantee its availability as a service. If for any reason Let’s Encrypt no longer becomes available or becomes a chargeable service, we cannot guarantee it’s continued use with Eploy systems.
Ultimately it is the customers responsibility to provide an SSL for your systems website in the event of Let’s Encrypt ceasing to offer certificates with no charge, or to offer them at all.
What if I don’t want to use Let’s Encrypt?
If you want to use custom SSL’s for your system website and don’t want to fall back onto a Let’s Encrypt issued certificate, you can opt out. You’ll need to inform us that you wish to opt out of Let’s Encrypt in writing - either to your Implementation Manager if you are a new customer in Implementation or to your Account Manager if you are an existing customer.
It’s important to remember that you are responsible to provide a new SSL and upload it to your Eploy system before the old one expires to ensure your website continues to operate securely.
If you have a requirement to use a custom SSL, you will need to provide this and also provide a new one when it expires. Eploy cannot purchase this on your behalf and does not monitor when SSLs are due to expire. As above, if a custom SSL expires, we will automatically apply a Let’s Encrypt issued certificate which will be in place until you upload a new custom certificate to your Eploy system.
There are 2 methods to create and apply an SSL.
- You generate a Certificate Signing Request (CSR) in your Eploy system. From this, you generate a Certificate Response and upload this in your Eploy system.
- You create your own certificate and provide us with a Personal Information Exchange Format (PFX) file and a password.
CSR (Certificate Signing Request) Method
To apply for an SSL from your provider, you will need to create a CSR (Certificate Signing Request). A CSR is a block of encrypted text that you provide to a Certificate Authority when applying for an SSL certificate that contains the information they need.
Once you have populated the required information, clicking Create will trigger a download of the CSR, which can be passed onto your SSL provider so that you can purchase your SSL.
Applying the SSL
Once the SSL has been purchased, you can then upload this to the system for your domain, which will then apply as required. To do this, simply select Upload Certificate and upload the file provided. This will then be applied to your domain within 10-15mins.
When you have a certificate file (.pfx), you can upload this directly into your Eploy system.
Users with the User Security Settings Permission will receive reminder emails when SSL’s are due to expire. The first reminder is sent 6 weeks prior to expiry and then every week until the certificate expires or it is renewed.
If you have a custom SSL and have not provided a new one by the expiry date, Let's Encrypt will automatically apply a certificate when your custom SSL expires.