This page applies to Appian Cloud only. It may not reflect the differences with Appian Government Cloud. |
Certificates are required for customers wanting to use custom domains for their Appian Cloud environments. Self-service certificate management allows you to create, view and take action on the certificates relating to your environments through Cloud Resources in MyAppian. This page outlines the different features available through self-service certificate management, including:
Self-service certificate management allows you to easily view information relating to all the certificates deployed for your environments. You can quickly see:
Appian Cloud customers can request to customize environment URLs to provide a personalized experience to end users. Once you have decided on the environments that you wish to use a custom domain for, the first step towards using your custom domain is to generate a certificate signing request (CSR).
Tip: A CSR contains the information that a certificate authority will use to issue your certificate files. This includes details about your organization and the URLs you want covered by your certificate.
Here's what you'll need to know ahead of time:
Caution: You must use a domain that your organization owns. You cannot use an Appian owned domain (including appian.com
, appiancloud.com
appiancloud.us
, and any other domains that contain the word appian
).
To generate a new certificate signing request:
Caution: You must enter all your Appian Cloud environments in the Additional Environments step. The CSR should cover all your environments in the Subject Alternative (SAN) field including their respective static and dynamic Fully Qualified Domain Name (FQDN).
Provide this certificate signing request to your relevant Certificate Authority or administrator to obtain a set of issued certificate files.
Once you have obtained issued certificate files from your certificate authority, the next step is to upload your files for deployment. The certificate files required are:
Tip: A PEM formatted certificate is a Base64 encoded string with distinct headers and footers. Each certificate definition begins with -----BEGIN CERTIFICATE-----
and ends with -----END CERTIFICATE-----
.
To upload certificate files:
Caution: The certificate issued by your Certificate Authority should list the FQDNs of all your Appian environments in the Subject Alternative (SAN) field. You can only use a single certificate that covers all your Appian environments.
The following steps are required to deploy a certificate:
Note: This step is only required for new or updated domains. For certificate renewals where the domain of your environments is not changing, no downtime is required.
When a certificate is close to expiration, Appian Support will notify you.
To renew the certificate:
Select the certificate that is close to expiration and click on RENEW REQUEST.
Caution: Renewing the request through this functionality will generate a new CSR, which you must do because you cannot reuse a previously provided CSR. This is consistent with best security practices because generating a new CSR creates a new unique pair of public and private keys for the renewed certificate.
Additionally, you must enter all your Appian Cloud environments in the Additional Environments step. The CSR should cover all your environments in the Subject Alternative (SAN) field including their respective static and dynamic FQDNs.
After Appian Support receives the renewed certificate, they will deploy the certificates for the respective environments. This action does not require any downtime.
After the new certificates are deployed to Appian Cloud load balancers, you may need to update your DNS infrastructure to resolve your environment(s) FQDN(s) to a different DNS name provided by Appian Support.
You currently cannot change the subdomain portion of the FQDN assigned when the environment was created through self-service certificate management. Please open a new support case with Appian Support if you need to change these.
Wildcard certificates are not allowed in Appian Cloud. Attempting to upload one will result in a validation error.
The private key for CSRs generated for Appian Cloud use are stored securely for use within Appian Cloud only. Private keys are not required to obtain issued certificate files. Key management is a critical component to keeping certificate signing trusted and secure.
The static and dynamic domains are automatically generated based on the requested custom domain that you provide. If you need these to be different to the domains that are generated, please open a new support case with Appian Support.
Self-Service Certificate Management