When we wanted to implement SSL (Secure Sockets Layer) encryption on our Marketo landing pages, I found that there was very little information available. We needed SSL for a free trial registration and account creation process built on a Marketo landing page. This blog post will share the details of implementing SSL in Marketo. I’ll save the discussion about building a trial registration system in Marketo for a future post.
What is SSL and why would you want to implement it on Marketo landing pages?
At a very high level, SSL on a Marketo landing page enables encryption so the information that a user types into their browser onto a Marketo registration form is secure (from the browser into the form). In our use case, we built a software free trial registration system integrated with Marketo and Salesforce.com. We built a highly customized Marketo landing page that let the user register for the free trial and generate a password to activate a software license. Since the user is creating their own password and entering it onto the Marketo form, the password field must be encrypted from the user’s browser to the Marketo form field. Consequently, you need to implement SSL on your Marketo instance to secure the password creation process.
There’s very little information available on implementing SSL in Marketo
When we went to research this topic, there was little to no information available in the Marketo community or Google search. Marketo sent us a PDF document describing their service for implementing SSL, but other than that we had to ask a lot of questions and then go through it ourselves to understand all the details. We contacted Marketo support and they put us in touch with the Marketo Services team. Even then, the Marketo Services team only has a high-level understanding of the process and we had to reach back into their organization to find the implementation people that could answer our questions.
Implementing SSL on Marketo
At a high level, implementing SSL on Marketo consists of the following:
- Purchase the service from Marketo to implement SSL and schedule a date to deploy it
- Buy a SSL certificate and give it to Marketo
- Update your Marketo landing page templates to prepare for the transition to SSL
- Deploy SSL on Marketo and work with your IT department to update your DNS record and TTL value
- Fix any Marketo landing page template issues that you might have missed
Marketo says that it will take approximately 2-3 weeks to schedule and complete the process after receiving the SSL certificate from you. The Marketo team is working in the Pacific Time zone so the window for scheduling the change is during normal business hours Pacific Time. Marketo says that it takes 30 minutes to complete the process. Since you probably have a live instance of Marketo, you’ll want to schedule the change at a time when there won’t be significant traffic hitting your Marketo landing pages and give yourself enough time to test and fix any potential issues after the switch is made. The change is fast, but I would plan for a 2 hr window when traffic to your landing pages is light. We also set our email marketing schedule to avoid driving traffic to our landing pages on the day of the changeover. Typically, when we send an email, 98% of the total clicks occur within the first two days of sending the email. Also, there’s a short availability outage during the transition. Anyone hitting one of your Marketo landing pages during the transition will be re-directed to your fallback page. Your fallback page is a setting in Marketo that defines the url that a visitor will be redirected to if Marketo is not available. So you should check your fallback page setting in Marketo before you deploy.
Our IT department had all sorts of questions about buying the SSL certificate that weren’t covered in the Marketo documentation. The SSL certificate must be for at least a 2 year term. Our IT department asked for information on the server that the certificate would be installed on. Marketo told us that they’re running an Apache load balancing server. When you switch to SSL you get a dedicated external IP address for your landing pages and there’s a set of IP addresses related to the web servers behind the load balancer. There isn’t a specific server that the certificate will be installed on. You just need to buy the certificate and give it to Marketo. The information that we added on the CSR (Certificate Signing Request) was the common name (CNAME) of our Marketo instance and then all the Org information was our company information. You’ll also need to give Marketo the private key.
When the switch occurs, you’re on the phone with the Marketo team during the process. Some of the following detail in this section goes beyond my expertise, but I’ll share what I know. When you make the switch, the IP address associated with your landing pages changes the CNAME from companyname.mktoweb.com to companyname-ssl.mktoweb.com. Your IT department needs to change the DNS record from the old CNAME to the new SSL CNAME. Then Marketo will verify if they can see the new DNS values in their network and make final changes to their systems to allow SSL on your landing pages. During the change, your IT department will need to lower the TTL value for the DNS record associated with your Marketo url. Lowering the TTL value is the process that updates the new CNAME (url) across your DNS. If the TTL is set too high (long), then some DNS might still cache the old CNAME and some visitors might not hit the SSL landing page. Our IT department was concerned that lowering the TTL value might impact other systems. It turned out that they were able to lower the TTL value just for the Marketo url and the changes were deployed very quickly. After you complete the switch, you can return the TTL value to its previous level.
Preparing our landing pages for the switch to SSL also required some effort. In our case, our Marketo landing page templates were designed by our web team to pull the CSS and images from our corporate website. We have one set of Marketo landing page templates that pull the header, footer, and CSS from our corporate website so these Marketo landing pages look like you’re still on our corporate website. When you switch your Marketo landing pages to SSL, if you pull any images or CSS from outside of Marketo into your landing page templates, then that will cause a warning message to appear every time someone visits your landing pages. The warning message will say: Do you want to view only the webpage content that was delivered securely?
To avoid that bad user experience, all of the images and CSS for your Marketo landing page templates and landing pages need to reside in Marketo (Design Studio). In our case, that meant that our web team had to rebuild our landing page templates inside Marketo. That also meant that we had to reapprove every landing page using the revised templates. Inevitably, we missed something, but it was obvious as soon as we switched on SSL. It turned out that we missed moving the footer images into Marketo. That was relatively minor, but it’s an example of how easy it is to miss a small detail in this process. For us, this also meant that we now had separate images and CSS for the corporate website and our Marketo landing page templates. And when changes occurred on our corporate website, we didn’t always have the resources to keep the Marketo templates in sync. Of course, if all the images and CSS for your Marketo landing pages and templates are in Design Studio already, then this won’t be an issue for you.
Some additional questions that might come up
When you switch to SSL, any pre-existing http: links to your Marketo landing pages are automatically redirected to the https: link for the landing page. So you don’t have to worry about breaking pre-existing links to Marketo landing pages from your corporate website or in old emails or banner ads.
The dedicated external IP address for your SSL Marketo landing pages is completely different from a dedicated IP address for email. The two have nothing to do with each other.
The cost to add SSL is affordable. Marketo charges a reasonable service fee to make the change and then it's just the cost of a 2 year SSL certificate that you buy. Marketo will not buy the SSL certificate for you.
Overall, adding SSL to Marketo was pretty straightforward after getting answers to all of our questions. However, there are a lot of parts to the process and it was time consuming to get to the right person that could answer all of our questions.