Managed SSL reduces operational burden and auto-renews. For wildcards or EV you may need to bring your own. Ensure private keys stay on your server and are not exported. HSTS and strong ciphers still apply.
Pros of managed SSL
- No renewal hassle: Provider issues and renews certs (often Let's Encrypt or similar). No manual certbot or calendar reminders.
- Auto-renewal: Before expiry, the provider renews. Reduces risk of expired certs and broken HTTPS.
- Simplicity: One less thing to manage; good for small teams or many domains.
Limits and when to BYO
- Wildcard: Not all managed offerings include wildcard (*.example.com). You may need to bring your own or use DNS challenge with Let's Encrypt yourself.
- EV (Extended Validation): Usually requires your own cert from a CA; managed plans often only do DV (Domain Validation).
- Private keys: Ensure keys are generated and stored on your server (or in your HSM). Some "managed" setups hold keys on the provider side—acceptable for some, not for strict compliance. Ask.
Security still your responsibility
- HSTS: Enable Strict-Transport-Security header. Managed SSL does not always set this; add it in your app or reverse proxy.
- Strong ciphers: Disable TLS 1.0/1.1; prefer 1.2/1.3 and strong ciphers. Configure at the proxy or app level.
- Chain: Ensure the provider serves a complete chain so clients do not get certificate errors.
Summary
Managed SSL simplifies issuance and renewal. For wildcard or EV, you may need your own cert. Ensure private keys stay under your control; still enable HSTS and strong ciphers.
