When SaaS Custom Domains issues TLS/SSL certificates for your custom domains, our servers validate that you control the domain names in that certificate using "challenges", as defined by the ACME standard.

Basically, "Challenge" is nothing more than a way for people to prove the ownership of a domain. We won't go into detail about technical implementation, but if you'd like to know more please read this article about challenge types by Let's Encrypt.

In SaaS Custom Domains, you can use HTTP-01 or DNS-01 challenge. Both have their pros and cons. Let us dig deeper into both to learn which one will work best for you.

This is the default and most commonly used challenge when creating a custom domain on our platform. It works by pointing the custom domain to SaaS Custom Domains' servers.

The domain is pointed to our servers by creating either A or CNAME DNS records with the specific values.

For the HTTP-01 challenge, the CNAME you need to create is:

The alternative two A records are:

Usually, you want to use the CNAME record. However, some DNS providers do not allow CNAME records on root domains, so you should create the two alternative A records for those.

To use the HTTP-01 challenge for a domain, select the HTTP-01 option when creating it.

For the API users, omit the challenge_type field when creating a domain because http01 is the default value. Alternatively, set the challenge_type to http01 explicitly.

The benefits of the HTTP-01 challenge are that it's easy to set up and the certificate is issued on-demand when the first request hits the custom domain.

The disadvantage is that you cannot use SaaS Custom Domains Shield, which gives you automatic Cloudflare DDoS protection, WAF, and CDN which makes your custom domains secure and super-fast to load.

This challenge has certain advantages over HTTP-01 but requires creating an additional DNS record. Some argue this makes DNS-01 more complex than HTTP-01 but we don't think so.

The domain ownership is proved by creating an extra CNAME record that will look something like this:

This CNAME record will prove the ownership of the domain, but we still have to direct domain.com traffic to SaaS Custom Domains servers. For that, we have to add similar DNS records as for the HTTP-01 challenge.

You can either create a CNAME:

Or the alternative two A records:

But, the great benefit of using the DNS-01 challenge is that you can enable SaaS Custom Domains Shield to make your domains secure and blazingly fast to load.

To use the DNS-01 challenge for a domain, select the DNS-01 option when creating it.

For the API users, set the challenge_type field when creating a domain to dns01.

The benefit of the DNS-01 challenge is that you can enable Shield and have Cloudflare protect your custom domain and application from DDoS attacks while also making it load super fast due to Cloudflare CDN.

The disadvantage is that it requires an additional CNAME record to verify ownership and it may take a few minutes for the Certificate Authority to issue the certificate. This is a bit slower compared to the HTTP-01 challenge where the certificate is issued in a few seconds.

As always in life, there's no free lunch. The right challenge selection depends heavily on what you need.

But the rule of thumb we use is this, to get started quickly, use the HTTP-01 challenge. It's easy to set up, and the certificate is issued in seconds when the first request reaches the custom domain.

Once you're convinced the SaaS Custom Domains is a great fit for you, we'd recommend using the DNS-01 challenge. You get the benefits of Cloudflare DDoS protection and speed increase with Cloudflare CDN through SaaS Custom Domains Shield. The certificate takes a few minutes to be issued but that's not a problem as long as you set the expectations correctly with your users.

Until next time, keep building!

Need more help? Reach out via the Intercom chat widget and we'll be right with you!