Some accounts can have their own certificate installed for Helpjuice. This is needed when they use a CNAME and need their Knowledge Base to be secured by a HTTPS certificate.
To set up a certificate for an account, we need to access (or request the client to access) hissubdomain.helpjuice.com/admin/settings/https.
Once in that page, all that needs to be done is to fill the custom domain the client uses (if it's not already there), the certificate file and the private key file. The certificate file must contain the issuer's certificate chain in order for the browser not to generate a warning when someone tries to access it.
How does it work?
A certificate is a sensitive file and must be kept safe. To do so, we have our own isolated server that hosts our clients' certificates. When we submit a new file, Helpjuice establishes a secure connection with that server, uploads the certificate and closes the connection. Once there, the file is moved to another directory (where Helpjuice cannot access anymore) and served from there. Therefore, there's no way for Helpjuice to retrieve a file once it's uploaded.
When a user successfully submits a certificate with a private key, Helpjuice will change its DNS record to point to our certificate server instead of Helpjuice's server. This certificate server, currently with IP 22.214.171.124, will then receive requests for this customer, forward the request to Helpjuice, get the response and wrap it with the customer's custom certificate to then send the final response to the requester.
The Certificates Server
Helpjuice puts files inside this certificates via SCP. The folder is "/home/certoyer/certs". Every certificate copied into this folder will be picked up by a script we have running there. This script will move the files once again into their final destination: "/share/front/certs/". If you see this folder, you'll notice each CNAME gets its own folder to hold the certificate chain and the private key. Once a new certificate is in there, our script will update Nginx's configuration to include it and reload it.