Set Up a Custom Domain
Your Criipto Verify tenant is initially set up with a tenant specific domain for testing, for example acme-corp-test.criipto.id. This is the domain on which you applciations will send requests to Criipto.
As part of setting up you your tenant for production you will need to setup a specific production domain. You may choose to just set up a new criipto.id domain, such as acme-corp.criipto.id, but alternatively you can set up domain of your own, for example login.acme-corp.com.
The following describes how to use your own domain with Criipto Verify.
Set up DNS CNAME record
- Configure a DNS CNAME record for your domain to point it to
idp.criipto.id
- Go to Criipto Verify Dashboard and under Domain, choose to create a new domain
- Select
<your-domain.*>
, enter domain details, and choose Verify your domain settings
If your custom domain successfully resolved to idp.criipto.id
, you will see a checkmark appear, otherwise give it more time for DNS records to update, or check if you properly set a DNS CNAME record.
Create a self-contained certificate and upload it to Criipto Verify
- If you don’t have it already, download the root CA from your issuer
- Download the chain of intermediate certificates from your issuer. Certificate issuers typically make these available from the same public website where you downloaded the root certificate in step 1. We will assume in the following that you have downloaded this bundle to a file called
ca_bundle.crt
. - You need the end-entity certificate and a corresponding
private.key
as well. Your mileage may vary a lot here, depending on which format your issuer makes this available in. Some will deliver 2 separate files - and we will refer to them in the following asprivate.key
andend-entity.crt
. Others will wrap them into a password-protected .p12 or .pfx file. If you have such a file (and assuming that it is calledcertificate.pfx
), you can split it up into a private key and an end-entity certificate with 2openssl
commands:openssl pkcs12 -in certificate.pfx -nocerts -out private.key
openssl pkcs12 -in certificate.pfx -nokeys -out end-entity.crt
- Ensure that all certificates files are newline-terminated. You can use your favourite text editor to do this manually, but you can also leverage a tool such as
sed
by executing the following command for every certificate:sed -i -e '$a\' {file_name}.crt
If you are on Windows, you can install the Ubuntu app to get access to
sed
. -
Concatenate all the certificates into one
.pem
file. Make sure to do it in the correct order.Linux:
cat root.crt ca_bundle.crt end-entity.crt > all-certs.pem
Windows:
type root.crt ca_bundle.crt end-entity.crt > all-certs.pem
- Create a self-contained
.p12
certificate. You will be prompted to create a password in this step.openssl pkcs12 -export -out {file_name}.p12 -inkey private.key -in all-certs.pem
If you are on Windows, you can install the Ubuntu app to get access to
openssl
. - In Criipto Verify Dashboard, under Domain, select your custom domain and upload a self-contained certificate with a password.
How to obtain a root certificate
Windows
- Open a certificate with a default program - Crypto Shell Extensions
- Switch to a
Certification Path
tab - Double-click on the top certificate (root certificate)
- Another window will pop up. Switch to a
Details
tab and chooseCopy to File...
button - Choose
Next
, then chooseBase-64 encoded X.509(.CER)
- Enter a file name and choose a destination
- Choose
Next
, thenFinish
The root certificate is now copied to the chosen destination.
Linux
-
Read the content of your certificate by executing:
For base-64 encoded certificates:
openssl x509 -in {your_certificate}.crt -text -noout
For certificates in DER format:
openssl x509 -in {your_certificate}.crt -inform DER -text
- Check the Issuer CN and Subject CN. If they do not match, it means this is an intermediate certificate. In that case, find
CA Issuers - URI
in the certificate details and download the issuer certificate.curl -O {issuer_certificate_uri}
- Repeat steps 1 and 2 with obtained certificate in the previous step until you find a root certificate.
Get Ubuntu on Windows
You can get access to a plethora of useful tools by installing the Ubuntu app from the Microsoft Store.
In the Start Menu, type “Microsoft Store”, open the store, type “Ubuntu” in the Store’s search box, click the Install button and follow the setup instructions.