The Adobe-managed certificate program is the recommended process for setting up first-party certificates needed for a CNAME implementation. The program is fully automated once configured. It renews certificates in a timely manner so that there is no impact to data collection due to expired certificates. The program is free for your first 100 CNAMEs.
If you currently manage your own certificates, you are responsible for purchasing, maintaining, and providing a certificate to Adobe for first-party cookie use. You can contact Adobe Customer Care to discuss migrating to the Adobe-managed certificate program.
Follow these steps to implement a new certificate for first-party data collection:
Download and fill out the First-party domain request form
Open a ticket with Adobe Customer Care requesting to set up first-party data collection on the Adobe-managed certificate program.
Upon receiving the ticket, the Adobe representative provides you with a CNAME record. These records must be configured on your company’s DNS server before Adobe can purchase the certificate on your behalf. For example, the hostname data.example.com
points to hiodsibxvip01.data.adobedc.net
.
When the CNAME record is in place on your organization’s servers, Adobe works with DigiCert to purchase and install a certificate on Adobe data collection servers.
Once Adobe has installed the certificate, you can use one of the following methods to validate that it is working.
You can use any browser to validate that a certificate is installed correctly. Type your CNAME with _check
as the path into the address bar. For example:
data.example.com/_check
If everything works, the browser shows SUCCESS
. If the certificate is not installed correctly, you are issued a security warning.
curl
)Most modern operating systems already have curl
installed.
Type the following into the command line:
curl data.example.com/_check
If everything works correctly, the console returns SUCCESS
.
You can use the -k
flag to disable the security warning to help with troubleshooting.
nslookup
)Type the following into the command line:
nslookup data.example.com
If everything works correctly, Adobe’s data collection servers are returned:
Server: hiodsibxvip01.corp.adobe.com
Address: 10.50.112.247
Name: example.com.ssl.d1.sc.omtrdc.net
Addresses: 63.140.37.126
63.140.37.206
63.140.36.51
63.140.36.145
Aliases: smetrics.example.com
Once you have validated that your certificate works correctly, you can update your Adobe implementation to use these values.
trackingServer
configuration variable. If you have an existing implementation, see Visitor migration for additional steps on how to prevent existing visitors from being counted as new visitors.edgeDomain
property within the configure
command.Thirty days before your first-party certificate expires, Adobe validates whether the CNAME is still valid and in use. If so, Adobe assumes that you want to continue using the service, and automatically renews the certificate on your behalf.
If your organization’s CNAME record is removed or no longer maps to the provided Adobe secure hostname, Adobe cannot renew the certificate. The entry in Adobe’s system is marked for removal without further communication.
Yes. The Adobe-managed certificate program is more secure than your organization providing Adobe with a certificate. No certificate or private key changes hands outside of Adobe and the issuing certificate authority.
The certificate can only be purchased when you have pointed the specified hostname to an Adobe-owned hostname. You essentially delegate this hostname to Adobe and allow Adobe to purchase the certificate on your behalf.
Yes. As the owner of the domain, you are entitled to request that the certificate be revoked. Contact Adobe Customer Care to start this process.
Adobe works with DigiCert to issue an SHA-2 certificate.
No. Adobe offers this service to all Adobe Experience Cloud customers at no additional cost.
Adobe offers two cipher security levels to meet varying customer needs for security on first-party data collection. These levels determine which encryption algorithms are supported for HTTPS connections with Adobe servers. Adobe regularly reviews and updates the set of supported algorithms based on current security practices. If you would like to change your cipher security settings, contact Customer Care.
The following clients are known to be unable to connect with cipher security set to High:
Adobe supports both RSA and ECC certificate types to meet varying customer needs. RSA certificates are more widely supported for clients, but ECC certificates use less processing on both the server and client side. For Adobe-managed certificates, both RSA and ECC are provided. For customer-managed certificates, RSA is required and ECC is recommended. Modern clients support both RSA and ECC. The following clients typically only support RSA certificates: