Overview

Khoros manages SSL/TLS certificates for all hosted community sites. We have recently moved to a fully automated renewal process. This document explains how it works.

Automated Renewals

Khoros automatically renews SSL certificates before they expire. No action is required from your team for routine renewals, and you will not be contacted as part of the standard process.

Certificate management in Khoros Communities was previously a manual process, carrying an inherent risk of delays and late renewals. As part of our ongoing commitment to improving the reliability and quality of the service, we have rebuilt this process from the ground up using modern, automated approaches. Certificates are now renewed consistently and on schedule, eliminating the operational risk that came with manual handling.

This also positions us well for the future. The industry is moving to significantly shorter certificate validity periods — the CA/Browser Forum has a published schedule reducing certificate validity from 13 months today down to 47 days by 2029. Automation is the only viable way to manage certificates at that cadence, and we are already there.

For more background on why the industry is moving this direction, see: Automated Certificate Management Is No Longer a Nice-to-Have — It's Essential

How We Validate Your Domain

Khoros issues certificates using HTTP domain validation. To prove we legitimately manage the subdomain hosting your community (e.g. community.example.com), we serve specific content from a URL on your community site. This is verified by the Certificate Authority, and the certificate is issued.

This means:

• No DNS changes are required from your team
• No CSR handover or manual certificate issuance is needed
• Validation is scoped to the specific subdomain we host — we cannot access to your root domain

Certificate Authority

We currently  support a range of ACME-compatible Certificate Authorities, including:

• Amazon Trust Services
• DigiCert
• Google Trust Services
• Let's Encrypt

With Amazon Trust Services being used by default.

If your domain has CAA records restricting which Certificate Authorities may issue certificates, Khoros respects these and will issue via a permitted CA.

If your security policy requires a specific Certificate Authority, please contact your account manager. We can support any Certificate Authority that implements ACME (Automatic Certificate Management Environment) — the industry-standard protocol for automated certificate issuance.

Extended Validation (EV) Certificates

If your site uses an EV certificate, this is handled outside our standard process. Please contact our support team if you have an upcoming EV certificate renewal.

SAML Certificates

SAML certificates are used to secure Single Sign-On (SSO) authentication between your identity provider and your Khoros community. These are separate from the SSL/TLS certificates described above and are not yet covered by our automated renewal process.

SAML certificate renewals are currently handled manually. We are planning to improve this in the future. If you have a SAML certificate approaching expiry, please contact our support team.