Skip to main content
OCLC Support

Configure CONTENTdm with SSL to support HTTPS

Find information about SSL support for custom CONTENtdm URLs.

SSL support for custom CONTENTdm URLs

If you have configured a custom CONTENTdm URL in your institution’s domain, you must take action so it can be configured to work with HTTPS. Without HTTPS support your users will get warnings that your CONTENTdm site is not secure.

To configure your custom CONTENTdm URL for HTTPS, OCLC enters information about your custom CONTENTdm URL’s SSL certificate into its systems. The information about your SSL certificate is carried in a file called the PKCS #12 file.

Your IT staff must generate your PKCS #12 (or .p12 or .pfx) file, because it requires access to your private encryption keys and your SSL certificate files. The organization from which you purchased an SSL certificate typically will provide tools to generate a PKCS #12 file for sharing.


  • OCLC cannot procure or purchase an SSL certificate for a custom CONTENTdm URL in your institution’s domain.
  • OCLC cannot generate this PKCS #12 file for you. Some websites suggest that you must generate the PKCS #12 file on the machine where you will install it. This is not true. The PKCS #12 file can be prepared on any machine or operating system.
  • Do not send any files to OCLC besides your PKCS #12 file. Sending anyone your private key file or other associated SSL certificate files is a grave security risk for your institution.
  • Do not send a Certificate Signing Request (CSR) to OCLC or ask OCLC staff to generate a CSR for you. OCLC does not provide CSR services. Like the PKCS #12, a CSR does not need to be generated on the web server that runs CONTENTdm.
  • CONTENTdm runs on an Apache server.

Or you may want to take the easy path described in Custom CONTENTdm URLs.

Your IT staff can generate a PKCS #12 file using the OpenSSL command on any machine that has access to your private keys. For a hypothetical CONTENTdm site domain,, the command line options to generate the corresponding PKCS #12 file are:

openssl pkcs12 -export -out mycert.p12 -inkey hawkinspkey.pem -in
digitalhawkinscert.pem -certfile intermediatecert.pem

In the above example, mycert.p12 is the file name of the encrypted PKCS #12 file. Your PKCS #12 file is the only thing that you should send to OCLC.

The other files used in this command are:

  • hawkinspkey.pem: the private key file
  • digitalhawkinscert.pem: the domain certificate file
  • intermediatecert.pem: the certificate file that associates the domain certificate to the root certificate authority (CA)

Frequent areas of difficulty with SSL certificate creation and management include accessing the private key and generating the CSR, since it references the private key. Either your SSL provider will give you a private key, or you can generate your own private key file. Always protect outside access to your private key. As long as the private key used in your CSR matches the private key used when the SSL and intermediate certificates are generated, and then everything should work. Your SSL provider may give you an online tool to generate the CSR and private key, or you can use OpenSSL to generate one. The OpenSSL command to create a CSR would look like this:

openssl req -nodes -newkey rsa:2048 -sha256 -keyout example.key -out example.csr

If your SSL provider gives you individual .crt or .pem files or a package file like .p7b (PKCS #7), you have some of the individual component pieces of the PKCS #12 package.

Once you get your p12/pfx file, test it from the openssl to verify it is able to be opened before submitting it to Support:

openssl pkcs12 -info -in mycert.p12

Also, if your p12/pfx file requires a password to open, please provide the password to Support in addition to your p12/pfx file.

 Note: Be certain to track the expiration date of your SSL certificate. When the certificate is about to expire, you will need to repeat the certificate generation process and send a new PKCS #12 file to OCLC to continue access to your CONTENTdm site.

Please start the process of preparing the new PKCS#12 file early, at least a month before the expiration date. Submit your new PKCS#12 file to OCLC Support no later than 2 weeks before the expiration date. Otherwise, you risk losing secure access to your website.

Or you may want to take the easy path described in Custom CONTENTdm URLs.

Once you have created your SSL certificate, follow the instructions described in Advanced: Use a URL in your institution’s domain to complete the process.