Appearance
SSL certificate implementation procedure
DANGER
This document is out-of-date and requires revision.
- Document Status: Policy v1.0 (Pending Final Review)
- Purpose: To standardize the selection, implementation, renewal, and failure recovery protocols for all SSL certificates used by morphsites hosted clients.
- Scope: Applies to all SSL certificate types, including DigiCert, Let's Encrypt, Cloudflare, and Client-provided assets.
Quick reference guide – the SSL selection matrix
| Option | Cost Model | Primary Benefit | Scope Coverage | Setup Complexity | Renewal Complexity | Ideal Use Case |
|---|---|---|---|---|---|---|
| Standard DigiCert | Paid (Annual) | Robust, Single Subdomain Protection | Domain + www Subdomain | 🟡 Medium | 🟡 Medium | General, single-site commercial use. |
| Wildcard DigiCert | Paid (Annual) | Maximum Subdomain Protection | Unlimited *.domain.com | 🟡 Medium | 🟡 Medium | Organizations requiring multiple distinct services (e.g., CRM, Images). |
| Cloudflare | Free (Service) + paid tiers | CDN, WAF, & DDoS Mitigation | Edge Layer Protection | 🔴 High | 🟢 Low | Sites prioritizing performance, security, and traffic management. |
| Let's Encrypt | Free | Budget-Friendly Redirects | Specific Domains/Redirects | 🟢 Low | 🟢 Low | Handling simple redirection paths; low commercial requirement. |
| Client Provided | Variable | Required by Client | N/A | 🟠 Medium/High | 🟠 Medium/High | Situations where the client mandates their specific credential. |
Additional notes
Cloudflare
- Function: Provides DNS nameservers, CDN, DDoS mitigation, and a free SSL layer (Source to Cloudflare).
- Caveat: Crucial reminder: Cloudflare protects the request path to Cloudflare. A secondary certificate must be installed on the hosting server to protect the path _between+ Cloudflare and the host.
- Approval: Requires input from Client to confirm they are happy to change domain nameservers to use Cloudflare services.
Decision flow – choosing the right SSL
This flowchart guides the project team through the decision process, ensuring all requirements are met before a proposal is made. This would need to be considered for each domain.
Core policy – certificate life cycle management
📅 Renewal process
The renewal process is proactive and centralized.
- Notification: All potential certificate expirations must receive a notice sent to
domains@morphsites.comat 90 days prior to expiration and additional reminders as regular intervals. - Task Creation: Upon notice receipt, an AgencyBeam task must be created (currently by Claire) and logged in the central Expiring Certificates SharePoint document.
- Execution: The renewal task is assigned to Edward & Jordan for execution via DigiCert.
- Billing: If successful, the final invoice must be forwarded to the Accounts Team immediately upon renewal to ensure seamless billing cycles.
⚠️ Expiry failure triage protocol
Accountability is assigned based on certificate ownership:
| Scenario | Failure Protocol | Responsible Team | Action Mandated |
|---|---|---|---|
| External Client-Managed | Expiry risk noted | Support Team | Proactive contact with the client to ensure they action the renewal. |
| Internal DigiCert (Managed) | Expiry detected. | Systems Operations (SysOps) | Immediate high-priority rectification. |
| Internal Let's Encrypt | Expiry detected. | Systems Operations (SysOps) | Immediate rectification and re-installation. |
Procedure recommendations
- RCA protocol: A mandatory Root Cause Analysis (RCA) report is not currently required for misconfiguration. (Recommend: Review the procedure to determine if mandatory RCA reporting should be implemented.)
- Documentation review: No mandatory process exists for reviewing and updating this core documentation. (Recommend: Implement a annual review and sign-off process to ensure the accuracy of this SOP.)
- Certificate usage: Not all clients have certificates that follow this pattern. (Recommend: Moving all sites to Let’s Encrypt to ensure consistent approach to all clients.)
- ‼️ URGENT ACTION REQUIRED ‼️ Certificate lifetime adjustments: DigiCert now caps certificate lifespans at 199 days ahead of a phased industry drop to 47 days by 2029, a shift that does not affect Let's Encrypt since it already utilizes a proven, 90-day automated cycle. To prevent inevitable site outages, we must entirely eliminate manual hand-offs and mandate automated ACME workflows that handle renewals seamlessly in the background. Forge has confirmed they don’t have, or plans to include, an ACME workflow for certificates that are not Let’s Encrypt at this time. (Recommend: Migrate all clients to Let's Encrypt to avoid the impossible administrative burden of manually exchanging or installing external certificate files up to eight times a year.)