Product Notice: Eloqua's Automated Certificate Management – Controlled Availability [June 2022]

Overview

With the ongoing changes from browsers and ISPs (internet service providers), it’s becoming increasing important to secure all domains to properly support content rendering and deliverability.

In an effort to help our customers be secure by default, Eloqua has introduced Automated Certificate Management in controlled availability (CA) with the arrival of the 22B release. When enabled, Eloqua will provision and renew SSL Domain Validation (DV) certificates for unsecure domains. There is no additional cost for this feature, however you may be required to have your IT team make changes to your existing domain configuration to take advantage of these complimentary security enhancements.

Eloqua highly recommends that you enable the automated certificate management feature to ensure that all your domains are secured and automatically renewed prior to expiry to prevent any downtime related to content rendering.

What’s changing?

Oracle Eloqua believes that all customers should be secure by default. As such, our 2022 Eloqua roadmap features privacy and security enhancements that will make it easy for you to adopt best practices, continue to build trust, and ensure your data is automatically secure throughout a visitors’ marketing journey.

While we provide many tools today to ensure you can secure your sites, starting with the Eloqua 22B release, we have introduced changes that will secure all unsecured branded domains along with the introduction of automated provisioning and renewal of SSL (Domain Validation) Certificates in Controlled Availability (CA). This will apply to all new branded domains and any existing unsecured branded domains.

There is no cost to take advantage of these enhancements, and customers will no longer have to worry about going through the process of purchasing, managing, and renewing their SSL certificates.

Once enabled for your Eloqua environment, any existing unsecured branded domains would be secured with an Eloqua owned DV SSL certificate.

In most cases, there will be one SAN certificate for all image domains in a specific Eloqua site and one SAN certificate for all application, tracking and microsite domains in a specific Eloqua site. Once a domain is secured, it will be visible in the certificate management screen and an email notification will be sent to all customer admin users in that specific site.

Eloqua will automatically renew any Eloqua owned certificates prior to expiry. The updated certificate and expiry date will be displayed in certificate management screen within Eloqua.  

When automated certificate management is enabled for a microsite:

• Subdomains created in microsites will not be available for selection in landing pages (settings -> preview domains drop down) until they are secured.
• Microsites with no valid secure domains will not be available for selection in landing pages (settings -> microsite drop down).

Some customers may need to work with their IT team to change some of their domain configurations to take advantage of this new feature. Our Oracle Cloud Support team can provide you with details on any configuration changes you need to make when you open an SR to request your access.

Timeline and How to Request Access

• POD 6 / 7 Customers: After the arrival of the 22B Eloqua release (May/June 2022), the automated certificate management feature will be implemented for phase 1 of CA(controlled availability) which includes POD 6 and 7 customers. To request it be enabled, please file an SR with Oracle Cloud Support.
• POD 3 / 4 Customers: Available in CA as of 23A (Feb 2023)
• POD 1 / 2 / 8 Customers: Coming soon - stay tuned as you’ll be able to request access in mid-2023. More information will be provided. 

If you have questions on what is required to enable the automated certification management for your site(s), please contact Support.

Next Steps

POD 6 and 7 customers are encouraged to file an SR to request the feature and work with your IT team to make any necessary changes to your domain configurations as recommended by Support.

Additional Resources

• View details for Automated Certificate Management in Eloqua's Help Center
• On-demand Overview: Automated Certificate Management
• Determining your POD number for Oracle Eloqua

FAQ

Q: Are the Eloqua owned SAN certificates specific to my Eloqua site?

A: Yes. Every Eloqua site will have their own SAN certificates for image domains and for application, tracking and microsite domains. Certificates are not shared across Eloqua sites, even if your company has multiple Eloqua sites.

Q: Is there an additional cost or add-on sku for this feature?

A: No, there is no additional cost or add-on sku. This feature will be CA (controlled availability) and could require you to work with your IT team to make changes to your domain configuration (E.g. update ARecord, CNAME, etc.). Contact Support to request this feature.

Q: Do I need to do anything when an Eloqua certificate is due to expiry?

A: No, Eloqua will automatically renew the certificate prior to expiry and you do not need to take any action.

Q: How do I know if this feature is enabled for my Eloqua site?

A: You can tell if Automated Certificate Management is enabled for your Eloqua environment by navigating to the certificate management screen and check if it shows as ‘Enabled’ or ‘Not Enabled’.

Q: Why don’t I see my new domains listed in Certificate Management?

A: New domains are normally secured within 15 minutes, but can take up to 24hrs to display in Certificate Management. You can validate that your domain is secured at https://www.sslshopper.com/ssl-checker.html#hostname.

Q: What happens when I add additional domains?

A: If the feature is enabled and existing domains are secured by Eloqua, when additional domains are added, a new certificate will be provisioned for all domains.

• If additional image domains are added, one new SAN certificate will be provisioned for all existing and new image domains, with an updated expiry date.
• If additional application, tracking or microsite domains are added, one new SAN certificate will be provisioned for all existing and new application, tracking and microsite domains with an update expiry date.

Q: If I do not want to renew an existing certificate that my company owns and let Eloqua secure my domains, do I need to do anything?

A: No. If the feature is enabled, you can allow your existing certificate to expire and Eloqua will automatically secure the domain(s) approximately 20 days prior to expiry. This does not apply to wildcard certificates. Please contact Support prior to expiry, if you would like Eloqua to secure any domain(s) that are currently secured with a wildcard certificate.

Q: What is the benefit of allowing Eloqua to secure my domains?

A: If the feature is enabled, you will not need to purchase SSL certificates, you will not need to worry about SSL certificate renewal or downtime due to expired SSL certificates.

Q: Do I need to take any action on any external content that is hosted on Eloqua landing pages?

A: Yes. You should start the process immediately to secure any external content. Any external content that is still unsecure after Eloqua secures your domains and microsites, will not render properly. You can secure this content now and it will continue to render on unsecure landing pages.

Q: What is Certification Authority Authorization (CAA)?

A: Domain Name Servers (DNS) use Certification Authority Authorization (CAA) as a means of identifying which Certification Authorities are authorized to issue a certificate for that domain. As a means of providing an additional layer of control to the DNS owner, CAA gives DNS owners the ability to determine which Certification Authorities (CA) are authorized to issue certificates on behalf of that domain name by configuring their DNS CAA record.

Q: Do I need a CAA record for Eloqua to manage certificates?

A: No, the CAA record is not mandatory to be listed within your DNS record. CAs are only required to check to see if there is a CAA record and if you have permitted the CA to issue for the fully qualified domain name (FQDN) in question. If you do not list a CAA Record, all CA’s will be able to issue certificates for the FQDN. Supporting CAA within your DNS records is up to you and your organization, it is not mandatory. 

Q: What if my company already has a CAA record for any domain or root domain?

A: If your company has CAA records for any domain or root domain, you will need to work with your IT team to add letsencrypt.org to the CAA record, to allow Eloqua to secure your domains.