Product Notice: Eloqua's Automated Certificate Management – Controlled Availability [June 2022]
With the ongoing changes from browsers and ISPs (internet service providers), it’s becoming increasing important to secure all domains to properly support content rendering and deliverability.
In an effort to help our customers be secure by default, Eloqua has introduced Automated Certificate Management in controlled availability (CA) with the arrival of the 22B release. When enabled, Eloqua will provision and renew SSL Domain Validation (DV) certificates for unsecure domains. There is no additional cost for this feature, however you may be required to have your IT team make changes to your existing domain configuration to take advantage of these complimentary security enhancements.
Eloqua highly recommends that you enable the automated certificate management feature to ensure that all your domains are secured and automatically renewed prior to expiry to prevent any downtime related to content rendering.
Oracle Eloqua believes that all customers should be secure by default. As such, our 2022 Eloqua roadmap features privacy and security enhancements that will make it easy for you to adopt best practices, continue to build trust, and ensure your data is automatically secure throughout a visitors’ marketing journey.
While we provide many tools today to ensure you can secure your sites, starting with the Eloqua 22B release, we have introduced changes that will secure all unsecured branded domains along with the introduction of automated provisioning and renewal of SSL (Domain Validation) Certificates in Controlled Availability (CA). This will apply to all new branded domains and any existing unsecured branded domains.
There is no cost to take advantage of these enhancements, and customers will no longer have to worry about going through the process of purchasing, managing, and renewing their SSL certificates.
Once enabled for your Eloqua environment, any existing unsecured branded domains would be secured with an Eloqua owned DV SSL certificate.
Note: At this time only POD 6 and 7 customers can request to be part of the CA Program. POD 3&4 customers will be able to take part in CA as of 23A (Feb), with POD 1&2 coming mid 2023.
In most cases, there will be one SAN certificate for all image domains in a specific Eloqua site and one SAN certificate for all application, tracking and microsite domains in a specific Eloqua site. Once a domain is secured, it will be visible in the certificate management screen and an email notification will be sent to all customer admin users in that specific site.
Eloqua will automatically renew any Eloqua owned certificates prior to expiry. The updated certificate and expiry date will be displayed in certificate management screen within Eloqua.
When automated certificate management is enabled for a microsite:
- Subdomains created in microsites will not be available for selection in landing pages (settings -> preview domains drop down) until they are secured.
- Microsites with no valid secure domains will not be available for selection in landing pages (settings -> microsite drop down).
Some customers may need to work with their IT team to change some of their domain configurations to take advantage of this new feature. Our Oracle Cloud Support team can provide you with details on any configuration changes you need to make when you open an SR to request your access.
Can I bring my own certificate?
Yes, you can still bring your own certificate if required by your organization, the existing process will be followed to implement your own certificate.
If automated certificate management is enabled for your site and a certificate that you own is due to expire, Eloqua will automatically start to secure the domain for you approximately 20 days prior to expiry. This will prevent any downtime in content rendering due to an expired certificate that your company owns. Note: This does not apply to wildcard certificates. Please contact Support prior to expiry, if you would like Eloqua to secure any domain(s) that are currently secured with a wildcard certificate.
Timeline and How to Request Access
- POD 6 / 7 Customers: After the arrival of the 22B Eloqua release (May/June 2022), the automated certificate management feature will be implemented for phase 1 of CA(controlled availability) which includes POD 6 and 7 customers. To request it be enabled, please file an SR with Oracle Cloud Support.
- POD 3 / 4 Customers: Available in CA as of 23A (Feb 2023)
- POD 1 / 2 / 8 Customers: Coming soon - stay tuned as you’ll be able to request access in mid-2023. More information will be provided.
If you have questions on what is required to enable the automated certification management for your site(s), please contact Support.
POD 6 and 7 customers are encouraged to file an SR to request the feature and work with your IT team to make any necessary changes to your domain configurations as recommended by Support.
-- POD 3 / 4 customers - you can request access of 23A (Feb 2023)
-- POD 1 / 2 / 8 customers - Coming soon - stay tuned as you’ll be able to request access in mid-2023. More information will be provided.
- View details for Automated Certificate Management in Eloqua's Help Center
- On-demand Overview: Automated Certificate Management
- Determining your POD number for Oracle Eloqua
Q: Are the Eloqua owned SAN certificates specific to my Eloqua site?
A: Yes. Every Eloqua site will have their own SAN certificates for image domains and for application, tracking and microsite domains. Certificates are not shared across Eloqua sites, even if your company has multiple Eloqua sites.
Q: Is there an additional cost or add-on sku for this feature?
A: No, there is no additional cost or add-on sku. This feature will be CA (controlled availability) and could require you to work with your IT team to make changes to your domain configuration (E.g. update ARecord, CNAME, etc.). Contact Support to request this feature.
Q: Do I need to do anything when an Eloqua certificate is due to expiry?
A: No, Eloqua will automatically renew the certificate prior to expiry and you do not need to take any action.
Q: How do I know if this feature is enabled for my Eloqua site?
A: You can tell if Automated Certificate Management is enabled for your Eloqua environment by navigating to the certificate management screen and check if it shows as ‘Enabled’ or ‘Not Enabled’.
Q: Why don’t I see my new domains listed in Certificate Management?
A: New domains are normally secured within 15 minutes, but can take up to 24hrs to display in Certificate Management. You can validate that your domain is secured at https://www.sslshopper.com/ssl-checker.html#hostname.
Q: What happens when I add additional domains?
A: If the feature is enabled and existing domains are secured by Eloqua, when additional domains are added, a new certificate will be provisioned for all domains.
- If additional image domains are added, one new SAN certificate will be provisioned for all existing and new image domains, with an updated expiry date.
- If additional application, tracking or microsite domains are added, one new SAN certificate will be provisioned for all existing and new application, tracking and microsite domains with an update expiry date.
Q: If I do not want to renew an existing certificate that my company owns and let Eloqua secure my domains, do I need to do anything?
A: No. If the feature is enabled, you can allow your existing certificate to expire and Eloqua will automatically secure the domain(s) approximately 20 days prior to expiry. This does not apply to wildcard certificates. Please contact Support prior to expiry, if you would like Eloqua to secure any domain(s) that are currently secured with a wildcard certificate.
Q: What is the benefit of allowing Eloqua to secure my domains?
A: If the feature is enabled, you will not need to purchase SSL certificates, you will not need to worry about SSL certificate renewal or downtime due to expired SSL certificates.
Q: Do I need to take any action on any external content that is hosted on Eloqua landing pages?
A: Yes. You should start the process immediately to secure any external content. Any external content that is still unsecure after Eloqua secures your domains and microsites, will not render properly. You can secure this content now and it will continue to render on unsecure landing pages.
Q: What is Certification Authority Authorization (CAA)?
A: Domain Name Servers (DNS) use Certification Authority Authorization (CAA) as a means of identifying which Certification Authorities are authorized to issue a certificate for that domain. As a means of providing an additional layer of control to the DNS owner, CAA gives DNS owners the ability to determine which Certification Authorities (CA) are authorized to issue certificates on behalf of that domain name by configuring their DNS CAA record.
Q: Do I need a CAA record for Eloqua to manage certificates?
A: No, the CAA record is not mandatory to be listed within your DNS record. CAs are only required to check to see if there is a CAA record and if you have permitted the CA to issue for the fully qualified domain name (FQDN) in question. If you do not list a CAA Record, all CA’s will be able to issue certificates for the FQDN. Supporting CAA within your DNS records is up to you and your organization, it is not mandatory.
Q: What if my company already has a CAA record for any domain or root domain?
A: If your company has CAA records for any domain or root domain, you will need to work with your IT team to add letsencrypt.org to the CAA record, to allow Eloqua to secure your domains.
Group Product Manager, CX - Marketing: Eloqua
Hi @JodyMooney-Oracle , if the customer is using their Eloqua instance across multiple brands will this feature still work and Oracle shall procure the SSL certificates for all the multiple brands?
hi @Prithvi vallabha B H , yes we will. If the feature is enabled and the domain configurations pass validation, we will secure all domains in that Eloqua instance (including multiple brands).
That's good then! Thanks @Scott R. Lang -Oracle :-)
Stephanie.S Posts: 10 Red Ribbon
@Scott R. Lang -Oracle @JodyMooney-Oracle Any estimate on when this year it will be in controlled availability for Pod 2?
Also, for this feature do we need to do anything to our existing unsecured landing pages, such as deactivate them or move content while the domain gets secured, or can they stay as is?Post edited by Stephanie.S on
No specific dates to share with you yet. In preparation for when it is enabled, you'll want to ensure any external content on those pages is secure. No need to deactivate pages etc though.
Group Product Manager, CX - Marketing: Eloqua
@Scott R. Lang -Oracle @JodyMooney-Oracle if customer wants to implement additional brands, do they need to procure SSL certificates for those brands or as per the new release Eloqua is going to provide SSL certificates for all brands?
@D_Biswajit-Oracle , If the instance has Automated Certificate Management enabled, the do not need to procure SSL certificates for additional brands. Eloqua will secure the domains for the brands after they have been created in their instance.
@Scott R. Lang -Oracle Understood. But am I correct that only pods 6 & 7 are currently even eligible to have the Automated Certificate Management enabled?
@D_Biswajit-Oracle , CA is currently only open to PODs 6 & 7. However, the feature is supported in all PODs, and if the feature is enabled for an instance (regardless of the POD), the functionality is supported.
Hi, is there an update on when Automated Certificate Management will be enabled for Pods 1 and 4?
After going through weeks of support ticket back and forth to enable a new SSL Cert, I CERTainly (like that?) hope that Pod 1 is enabled soon and we never have to deal with this again! Especially with Chrome cracking down and not loading http at all.
The CA program for Automated Certificate Management will open to PODs 3 & 4 with the 23A release. PODs 1 & 2 are still TBD.
With the 23A release, we will also be adding a 2nd tab to the certificate management screen (Settings->Certificate Management). The Secure Domain tab will display details on existing secured domains and SSL certificates, including if the certificate is owned by Eloqua, which are provisioned as part of Automated Certificate Management feature. The DNS Configuration tab (new tab) will display details for the DNS (Domain Name System) for each domain, it will also provide recommendations on any required configuration changes to ensure that the domain can be secured by Eloqua. This will help customers to work with their IT team on any required DNS updates prior to requesting the feature.
Any update if this will be included for PODs 1&2 in the next release, or sooner?