Set up a CNAME and Acquire a TLS Certificate

As an IT administrator, perform the following steps to set up a CNAME and acquire a TLS certificate for your white-labeled domain:

  1. Define a CNAME record to the new white-labeled domain to <customer>.{na|ca|eu}
    Apply this DNS change within your domain.
    For example, if your white-labeled domain should be accessible from and you are using a US datacenter, create a CNAME to point from that destination to For the EU-UK London datacenter, use
    For more information, see GoodData Datacenters and IP Whitelisting.
  2. Decide how you want to manage TLS certificates. Choose from the following options:
    • You let GoodData manage the certificates using Let's Encrypt.
      GoodData uses Let's Encrypt to generate a certificate for you, check its validity period, and generate a new certificate when the current one is approaching its expiration date. The whole process is done at GoodData's side and does not require any action from you.
      To let GoodData manage the certificates, contact GoodData Support. In your request, include the confirmation of CNAME creation.
    • You manage the certificates yourself.
      To do so:
      1. Generate a Certificate Signing Request (CSR) file. This file is required as a part of the request to a certificate authority for issuing a TLS certificate.
      2. Acquire a TLS certificate for the new domain.
        • The certificate must be in PKCS12 format (preferred).
        • The certificate must contain both public and private components.
        • Common Name (CN) of the certificate must be the new white-labeled domain (for example,
        It is your responsibility to acquire the CSR file, private key, and certificate. Because GoodData cannot acquire or generate these assets for you, we suggest that you use publicly available knowledge resources. For example, searching the Internet for "Key and CSR Generation Instructions" yields sufficient results. If you still need help, contact GoodData Support.
      3. Send the following items to GoodData Support:
        • Confirmation of CNAME creation
        • Both the certificate and the corresponding private key in PKCS12 or PEM format (preferred), in an encrypted form

          We strongly recommend that you encrypt both the public and the private components. The private key contains sensitive information, which an unauthorized person can use to impersonate the server identity. To encrypt, you can use the GoodData PGP key or another encryption method available on your side.
          For the guidelines on how to encrypt a document using PGP, see the GNU Privacy Handbook.

Powered by Atlassian Confluence and Scroll Viewport.