Menu

Lumen help

Let's Encrypt Certificates (V2)

Important: This guide is for the V2 version of Media portal only. If you’re using V3, please refer to Configuration Management for V3, and if you are on V1.5, please note that this version has now been deprecated and we invite you to read our guide on migrating to V3.


If you want to avoid the process of working directly with a certificate authority, you can create a Let's Encrypt certificate using Media portal. Let's Encrypt is an open-source certificate authority. But before using Let's Encrypt certificates with live traffic, be sure that they are compatible with your needs. Learn more about Let's Encrypt certificate compatibility. If you're migrating from another provider to Lumen, you can also request a certificate for migrating your properties.

 

To manage your certificates, you’ll need to navigate to the “Manage Certificates” menu of your Service Component ID (SCID). To do this, sign into Media Portal, select My Services > Caching from the tab across the screen, and from the lists, select the access group and SCID you’d like to work with. click on “Manage Certificates” to open the menu. Media portal lists the certificates associated with the SCID you selected, and the states of the certificates. Certificates in active state are ready to use; certificates with other states may need your attention or may still being processed. To view details for a certificate, on the row for the certificate you want to view details for, click the linked certificate name. Media Portal shows details for the certificate. If the certificate has pending changes, you can toggle between the active certificate (Current tab) and the changes (Pending tab).

Creating a Let’s Encrypt Certificate

To create a Let’s Encrypt certificate, navigate to the “Manage Certificates” menu as described above. Media portal lists the certificates associated with the SCID you selected. Click on “New Certificate” to begin creating a new certificate.

 

  • Type in a “Certificate name” for the new certificate and click on “Request Let’s Encrypt”.

     

  • Now, fill in the following information for the certificate -

     

    • In the “Common Name field”, type the fully qualified domain name you want to secure. You can use a wildcard in the domain name to indicate all subdomains. For example, *.domain.com secures all subdomains under Website Domain Names, Online Stores & Hosting - Domain.com.

       

    • If you don't want the certificate to automatically renew, clear the Auto-Renew checkbox. (We recommend you let the certificate automatically renew so you don't have to remember to renew it on your own).

       

    • From the “Key Algorithm” list, select RSA

       

    • From the “Key Parameter” list, select the number of characters for the certificate - 2048, or 4096.

       

    • If you need to specify additional host names for the certificate, click Add (in the Subject Alternate Names (SAN) field), then type the fully qualified domain name.

       

    • Repeat this step to add additional host names. When you use this certificate on a property, you must list all host names you specify here in the “Aliases” list on the property.)

       

  • Once all the details are filled, click “Submit”.

Action is needed by you for the Let’s Encrypt provisioning process to succeed

  • Once your request has been submitted, our system automatically generates Let’s Encrypt specific CNAMES corresponding to your Common Name and optional Subject Alternate Names (SANs).  You must add these CNAME records to your DNS system for us to pass the electronic Let’s Encrypt challenge that is required to prove that we are authorized to act on your behalf.

     

  • Upon clicking “submit”, you have the option to be notified by email once they are created, but you can also simply click on the certificate name where you will find them listed once available. Please note that these CNAMES should not be confused with those needed to route traffic to our network. These are provided within the property details of your configuration, after you have promoted it. Wildcard CNAMES will be different from the Let’s Encrypt Challenge CNAMES.

     

  • Click “Close” to finish creating the certificate. You can now reference the certificate in a property on a configuration and before you promote it to production don’t forget to add the required Let’s Encrypt CNAMEs provided to your DNS system. This is important because your certificate request is processed only after you have promoted your configuration.  You can track the various states of this process in Environment History. Once your configuration is successfully promoted, your certificate will have been obtained and activated.

Updating a Let’s Encrypt Certificate

After creating a Let’s Encrypt certificate, You can always make changes to them, but remember that the changes won’t be reflected until you promote a configuration referencing the certificate to production. To update a Let's Encrypt certificate, select one of the following options in the “Actions” column for the certificate.

 

  • Regenerate LE - You can regenerate a Let's Encrypt certificate by selecting “Regenerate LE” to make changes to the certificate such as adding additional host names, updating the key encryption, or changing the common name. Once you make the changes, click “Update” and Media Portal will save your changes on the “Pending” tab in the certificate details. you need to promote a configuration referencing the certificate to production to make the changes take effect.

     

  • Re-Issue - Use this action to revoke a certificate and replace it with a new certificate using the same certificate name you originally provided. It is especially useful when your Let’s Encrypt certificate is compromised. Click “Re-issue” to reissue your Let’s Encrypt certificate, and Media Portal will make the changes immediately in production. You don't need to promote a configuration to production.

     

  • Delete - You can delete a Let's Encrypt certificate from Media portal if you no longer need it, by selecting this action. Depending on the state of the certificate, you may not be able to delete it until you complete a particular task. For example, you can't delete a certificate if it's referenced by a configuration in production. If the certificate is referenced, edit the configuration first, save your changes, and promote the configuration to production. Once the changes propagate, you can then delete the certificate.