SSL Configuration

Set up SSL certificates for your SaaS platform so all tenants get secure HTTPS connections. No wildcard SSL required!

Every professional SaaS platform needs SSL (HTTPS). It encrypts data, builds trust, and Google even ranks HTTPS sites higher. The good news? Our module does NOT require expensive wildcard SSL certificates — you can use free ones!

No Wildcard SSL Required! Unlike some competing modules, the Perfex CRM SaaS Module works with standard SSL certificates. This saves you $100-300/year that you'd otherwise spend on wildcard certificates.

Understanding SSL for SaaS

Here's what you need for each URL structure:

URL Structure	SSL Type Needed	Cost
Subdirectory (yoursite.com/ws/tenant)	One standard SSL for your main domain	Free (Let's Encrypt)
Subdomain (tenant.yoursite.com)	One wildcard SSL OR Let's Encrypt auto-provisioning	Free (Let's Encrypt)
Custom Domain (tenant-domain.com)	SSL per custom domain (auto-provisioned recommended)	Free (Let's Encrypt)

---

Option 1: Let's Encrypt (Free — Recommended)

Let's Encrypt is a free, automated SSL certificate authority. It's trusted by all browsers and works perfectly with our module.

If You Have cPanel

1. Log in to cPanel

2. Look for "SSL/TLS Status" or "Let's Encrypt" (some cPanel versions have a dedicated Let's Encrypt tool)

3. Click "Run AutoSSL" — this will generate free SSL certificates for all your domains and subdomains

4. Wait a few minutes for the certificates to be issued

AutoSSL in cPanel automatically renews certificates before they expire. You set it up once and forget about it!

If You Have a VPS (Using Certbot)

Certbot is the official Let's Encrypt client. Here's how to install it:

For Apache:

# Install Certbot
sudo apt install certbot python3-certbot-apache

# Get SSL for your main domain AND wildcard:
sudo certbot --apache -d yoursite.com -d *.yoursite.com

# Follow the prompts — Certbot will configure everything automatically

For Nginx:

# Install Certbot
sudo apt install certbot python3-certbot-nginx

# Get SSL for your main domain AND wildcard:
sudo certbot --nginx -d yoursite.com -d *.yoursite.com

# Follow the prompts

Wildcard certificates with Let's Encrypt require DNS validation (not HTTP validation). Certbot will ask you to add a TXT record to your DNS. Follow the on-screen instructions carefully.

If DNS validation seems too complex, you can use standard (non-wildcard) certificates with subdirectory mode, which only requires HTTP validation (easier).

Auto-Renewal

Let's Encrypt certificates expire every 90 days, but Certbot automatically sets up renewal. Verify it's working:

# Test auto-renewal:
sudo certbot renew --dry-run

If this succeeds, your certificates will auto-renew forever!

---

Option 2: Cloudflare (Free + Extra Benefits)

Cloudflare provides free SSL along with CDN, DDoS protection, and performance optimization. It's an excellent choice for SaaS platforms.

Step 1: Add Your Domain to Cloudflare

1. Create a free Cloudflare account at cloudflare.com

2. Click "Add a Site" and enter your domain

3. Cloudflare will scan your existing DNS records

4. Change your domain's nameservers to Cloudflare's (your registrar will have instructions)

Step 2: Enable SSL

1. In Cloudflare, go to SSL/TLS

2. Set the encryption mode to "Full (strict)" if you have a certificate on your server, or "Flexible" if you don't

3. Turn on "Always Use HTTPS"

Step 3: Wildcard Coverage

Cloudflare's free plan covers:

• yoursite.com ✅

• *.yoursite.com ✅ (one level of wildcard)

This means all your tenant subdomains will automatically have SSL!

Cloudflare Universal SSL covers first-level subdomains for free. So tenant.yoursite.com is covered, but sub.tenant.yoursite.com is NOT (you'd need the paid plan for that — but you don't need nested subdomains for the SaaS module).

---

Option 3: Paid SSL Certificate

If you prefer a traditional paid SSL:

Provider	Type	Price	Best For
Comodo/Sectigo	Wildcard	~$70-150/year	Subdomain mode
RapidSSL	Wildcard	~$60-120/year	Subdomain mode
Let's Encrypt	Standard/Wildcard	Free	Everything

To install a paid certificate:

1. Purchase the certificate from your preferred provider

2. Generate a CSR (Certificate Signing Request) on your server

3. Submit the CSR to the certificate provider

4. Install the certificate on your server

5. For cPanel: use SSL/TLS → Install Certificate

6. For VPS: follow your certificate provider's installation guide

---

SSL for Custom Domains

When tenants use their own custom domain, they need their own SSL certificate. Here's how to handle this:

Automatic (Recommended)

If you're using Certbot on a VPS, you can set up automatic SSL for new domains:

# When a tenant adds a custom domain, run:
sudo certbot --apache -d tenant-domain.com
# or for Nginx:
sudo certbot --nginx -d tenant-domain.com

Via Cloudflare

If the tenant uses Cloudflare for their domain, they get automatic SSL on Cloudflare's end. They just need to point their DNS to your server's IP.

---

Verifying SSL Is Working

After setting up SSL, verify it:

1. Open your browser and go to https://yoursite.com

2. Look for the padlock icon in the address bar

3. If using subdomains, test: https://any-subdomain.yoursite.com

4. You should see the padlock on all URLs

You can also use online tools:

• SSL Labs Test — Comprehensive SSL analysis

• Why No Padlock — Check for mixed content issues

---

Forcing HTTPS

Make sure all traffic uses HTTPS (not HTTP):

Apache (.htaccess):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Nginx:

server {
    listen 80;
    server_name yoursite.com *.yoursite.com;
    return 301 https://$host$request_uri;
}

SSL configured! Your SaaS platform is now secure. All data between your tenants and the server is encrypted. Continue to configure your SaaS settings to start building your platform.