Skip to main content
OCLC Support

Configure CONTENTdm domain with SSL to support HTTPS

All CONTENTdm websites are assigned a domain name automatically when they are created. These domains include built-in support for HTTPS included in your CONTENTdm subscription. 

You can also choose a custom subdomain at *.contentdm.oclc.org. For example:

https://sandbox.contentdm.oclc.org/digital/

This gives you an easy way to have a customized domain that supports HTTPS without also having to purchase and manage an SSL certificate.  If you would like to choose a custom subdomain at *.contentdm.oclc.org, please contact OCLC Support.

Configuring SSL with your institution domain

If you have configured a custom institution domain with your CONTENTdm website, you may also want to set it up to work with HTTPS. 

For this to be possible, OCLC needs to install the SSL certificate corresponding to your domain and deploy some network changes to enable this functionality. Once this process is complete, all HTTPS requests to your CONTENTdm website will be classified as secure in all web browsers.

 The SSL process assumes that you have already set up your institution domain and acquired the corresponding SSL certificate. OCLC's network administrators need to get a PKCS #12 file from you that corresponds to the domain you have chosen for your CONTENTdm website. The PKCS #12 (or .p12 or .pfx) file must be generated by the certificate owner because it requires access to your private encryption keys and your cert files. SSL certificate providers often provide tools to make the packaging and encryption of your private keys and certificates easier.

Please note all of the following restrictions:

  • OCLC cannot procure or purchase an SSL certificate for your custom non-oclc.org domain.
  • OCLC staff will not generate this PKCS #12 file for you. The PKCS #12 package can be prepared on any machine or operating system. It does not need to be created on the machine where CONTENTdm is being hosted.
  • Do not send your private key file or the other associated intermediate certificate files to OCLC. 
  • Do not send your CSR to OCLC or ask OCLC staff to generate a CSR for you. OCLC will not generate the CSR. CSRs do not need to be generated on the web server that runs CONTENTdm (contrary to some advice you may read or hear elsewhere).

If you are unable to comply with any of the above restrictions, you are strongly encouraged to choose a customized domain at *.contentdm.oclc.org and take advantage of OCLC’s support for HTTPS included in your CONTENTdm subscription. See Custom domains for your CONTENTdm site URL.

 You can generate a PKCS #12 file using OpenSSL on any machine that has access to your private keys. For a hypothetical CONTENTdm site domain, digital.hawkins.edu, the command line options to generate the corresponding PKCS #12 file would look something like this:

openssl pkcs12 -export -out mycert.p12 -inkey hawkinspkey.pem -in digitalhawkinscert.pem -certfile intermediatecert.pem

In the above example, hawkinspkey.pem is your private key file, digitalhawkinscert.pem is the domain certificate file, and intermediatecert.pem is the certificate file that ties the domain cert to the root certificate authority (CA). The mycert.p12 file is the file name of the encrypted PKCS #12 package that is generated and is the only thing that should be sent to OCLC. 

A frequent sticking point with SSL certificate creation and management is access to the private key and how to generate the CSR, since it references the private key. You will either be given a private key by your SSL provider or you can generate your own private key file. Always protect outside access to your private key. As long as the private key used in your CSR matches the private key used when the SSL and intermediate certs are generated, then everything should work. Your SSL provider may give you an online tool to generate the CSR and private key, or you can use OpenSSL to generate one. The OpenSSL command to create a CSR would look something like this: 

openssl req -nodes -newkey rsa:2048 -sha256 -keyout example.key -out example.csr

If your SSL provider gives you individual .crt or .pem files or a package file like .p7b (PKCS #7), you have some of the individual component pieces of the PKCS #12 package. A good summary of the various SSL components can be found at https://knowledge.digicert.com/gener.../INFO4448.html
 
Also consider the expiration date of your SSL certificate. When the certificate expires, this certificate generation process will need to be repeated: Create a new.p12 file, transfer the file to OCLC, OCLC installs the cert to the data center. Please make sure that your certificate does not expire within one year of the date that you provide OCLC with your PKCS #12 file. We will not update these certificates more frequently than once per year. You will also need to track your expiration date and provide us with the updated PKCS #12 file at the appropriate time. Allow for a few weeks to transfer the updated certificate file and schedule its installation. If you are concerned about the overhead tracking your SSL renewals and regenerating PKCS #12 packages, you are strongly encouraged to choose a customized domain at *.contentdm.oclc.org and take advantage of OCLC’s support for HTTPS included in your CONTENTdm subscription. See Custom domains for your CONTENTdm site URL.
 
Once you have generated your certificate file, contact OCLC Support to transfer the file securely to OCLC. If you have your own secure file transfer service at your institution we can use your service, or we can provide you with SFTP credentials or other means to send us the file.
 
Note that sites who want SSL for custom domains will either need to create a dedicated domain for their CONTENTdm site (e.g. hawkinsdigital.org) or a third-level domain (e.g. digital.hawkins.edu) from the main top-level domain (TLD). This is because OCLC cannot host the SSL for your entire institution or campus domain, only the single domain name assigned to the CONTENTdm site in DNS. 

If there are internal reasons at your institution that the PKCS #12 file cannot be generated for a third-level domain that is assigned to your CONTENTdm site, then the only other option would be to register a new, wholly separate domain for the CONTENTdm site and generate a PKCS #12 cert for that URL, or choose a customized domain at *.contentdm.oclc.org.

SSL support for the CONTENTdm version 6.x website

We do not support HTTPS for the legacy 6.x website. There are several code changes and internal libraries that need to be updated to work with modern SSL standards and we are no longer making improvements to version 6.x.

  • Was this article helpful?