This article gives quick answers to questions about getting SSL (TLS) certificates for your Magento Commerce (Cloud) site. For more in-depth info, please see the detailed FAQ on SSL.
Who can get a certificate?
All Magento Commerce (Cloud) clients may get a shared SSL certificate powered by Fastly.
Which domains does a certificate cover?
Staging and Production domain names, as well as the first-level subdomain names.
For example: if your Production domain name is example.com, the Fastly wildcard SSL certificate covers *.example.com (like Staging domain names in the format of staging.example.com or prod.example.com).
How to request a certificate?
Submit a support ticket asking for a certificate.
Include the list of domain names you want to use the certificate for. Please remember: before submitting a Ticket, a Client or a System Integrator should create these domain names and point them to Fastly.
As a response to your Support Ticket, Magento provides a TXT record to be added to your DNS records for the corresponding domain names. This TXT record is used for SSL certificate validation, so please let the Magento Support Team know once the record is added.
Can I use own certificates?
You have the following options: include your certificate to Fastly (involves a fee) or bypass Fastly.
Include your certificate to Fastly (paid)
Submit a Support Ticket requesting to include your certificate to Fastly.
This variant allows you to use the certificate without bypassing Fastly; although, it is a paid service. Please contact your Magento Customer Success Manager for details.
Use your certificate and bypass Fastly
In this case, your domain name should bypass Fastly (CNAME to the origin domain name, like *.c.<your_client_id>.ent.magento.cloud). The difficulty here is that Fastly is required for Magento Commerce (Cloud); thus, Magento does not recommend to bypass it.
Related articles on DevDocs