This article gives quick answers to questions about getting SSL (TLS) certificates for your Magento Commerce Cloud site.
Who can get a certificate?
All Magento Commerce Cloud clients can get a shared SSL certificate powered by Fastly.
Which domains does a certificate cover?
Staging and Production domain names, as well as the first-level subdomain names.
For example: if your Production domain name is example.com, the Fastly wildcard SSL certificate covers *.example.com (like Staging domain names in the format of staging.example.com or prod.example.com).
How to request a certificate?
Submit a support ticket asking for a certificate.
Include the list of domain names you want to use the certificate for. Please remember: before submitting a ticket, a Client or a System Integrator should create these domain names and point them to Fastly.
As a response to your support ticket, Magento provides a TXT record to be added to your DNS records for the corresponding domain names. This TXT record is used for SSL certificate validation, so please let the Magento Support Team know once the record is added.
Can I use my own certificates?
You have the following options: include your certificate to Fastly (involves a fee) or bypass Fastly.
Include your certificate to Fastly (paid)
Submit a support ticket requesting to include your certificate to Fastly.
This variant allows you to use the certificate without bypassing Fastly; although, it is a paid service. Please contact your Magento Customer Success Manager for details.
Use your certificate and bypass Fastly
In this case, your domain name should bypass Fastly (CNAME to the origin domain name, like *.c.<your_client_id>.ent.magento.cloud). The difficulty here is that Fastly is required for Magento Commerce Cloud; thus, Magento does not recommend bypassing it.
Related articles on DevDocs