How to secure SaaS custom domain names

How to secure SaaS custom domain names

SSL for SaaS (BrandSSL)


4 min read

This is a guide on how BrandSSL can help companies set up fully-secured custom domain names for SaaS or e-commerce customers, without handling certificates or requiring any integration with external APIs.

The custom domain name problem in SaaS and E-commerce

A common problem for SaaS companies that provide B2B services is the offering of white-labeling with secured custom domain names for their customers. This problem also affects e-commerce companies that rely on white-labeled affiliates to sell their products through branded websites that they do not control.

In practice, this often looks like this:

  • Helppy is a SaaS company looking to provide helpdesk software to help customers support their customers

  • Vira is a client of Helppy

  • Vira wants to offer Helppy's helpdesk to it's customers via a custom domain at

Until recently, this solution was straightforward - Vira Company could just point a CNAME record for 'helpdesk' at Helppy's servers.

However, with the widespread requirement for secured, encrypted HTTPS connections, simply pointing a CNAME record is not enough - a certificate needs to be issued to protect the traffic running through to Helppy's server.

Until today Helppy's best bet was to ask Vira to CNAME over to their infrastructure, have Vira generate a private key and certificate signing request (CSR), send the latter to a CA for signing, and then securely provide Vira with the key material (and again upon renewal).

This is a problem for Helppy - there could be thousands of customers like Vira Company, and provisioning and handling of so many SSL certificates presents technical complexity, and the burden of maintenance is high—either for Helppy's customers or their engineering and support teams.

After facing this issue ourselves in several businesses, we decided a better solution could be offered - in this post, we'll be going over exactly how SaaS, e-commerce, helpdesks, and other B2B products could offer secured custom domain names to their customers through BrandSSL.

How BrandSSL works

BrandSSL is a globally distributed reverse proxy through which data to and from a website passes between the server and the customer's computer.

BrandSSL manages the entire SSL lifecycle for securing your customer's vanity domain name. A typical request to a website will pass through several 'tunnels' of this type, but BrandSSL is equipped with detection for insecure traffic, and scripts that run to automatically secure the traffic once it is detected. This functionality better known as "Certificate Provisioning" happens in conjunction with Let's encrypt, the worlds leading solution for SSL certificate issuance and Zero SSL.

Essentially, BrandSSL acts both as a monitor for insecure traffic and, once the traffic is secured, the tunnel through which it flows.

There are currently two modes of "Certificate Provisioning" in BrandSSL, "On Demand" and "API Call".

With BrandSSL's On Demand SSL provisioning, which is the default, every domain name pointed at your unique BrandSSL domain name gets automatically secured in seconds. The alternative being API Call requires you to send a post request with your API key to our server.

If you are keen to learn more about what’s under the hood at BrandSSL, check out our How it Works page for further information.

Setting up BrandSSL for SaaS

To begin using BrandSSL, you'll need to create an account via our signup page at

You'll be asked to select a plan as part of this process. You can find out more about our pricing on our pricing page


Note: If you really don’t want to select a plan to see how BrandSSL works, you can test the system by pointing a CNAME record of any domain at You’ll be able to see how BrandSSL provisions a certificate automatically, which will hopefully give you enough confidence to give the app a shot!

After signing up, you'll need to enter your application endpoint - the address of your app server. This is the end of the BrandSSL tunnel – the address to where traffic needs to be proxied. Note that you shouldn’t enter HTTP or HTTPS on this address.


Finally, you’ll need to enter the host which you’ll be using to point to the BrandSSL server. In our example above, this would be the address that Helppy would provide to Vira Company to point Vira Company’s custom domain at. Think of it as the entrance to the BrandSSL tunnel.


Click ‘Save’ and BrandSSL will validate and complete your setup.

You’re done! You can now have customers point their custom URLs (e.g. at your secure endpoint ( and BrandSSL will secure the connection automatically, proxying traffic onto your app’s endpoint (

Managing Custom URLs with BrandSSL

Once you’re inside, you’ll see that the admin interface offers a list of all of the secured domains attached to your account (screenshot deliberately blurred):

The simple BrandSSL management interface.

From the management screens, you can easily see whether a domain is secured or not, you can also delete any custom domains that you no longer wish to secure, by clicking the disable button.

You can further customize your app by adding custom headers, changing the on-demand settings, and retrieving your API key.