FAQ - SSL Landing Pages and Tracking Links

Document created by 84539250b6a5dbaeb28c678abebc9a81d169d3e7 Employee on Aug 16, 2016Last modified by b314881cf2c6f34ff6c1ea07c3f07a199f877a57 on Sep 27, 2017
Version 13Show Document
  • View in full screen mode

FAQs Included in this Article:




The SSL (Secure Socket Layer) Landing page enables you to make all your landing pages for a given Marketo instance secure. By default, when you fill out a web form or visit a landing page that is hosted by Marketo, the information is sent over non-secure HTTP. Per your company’s policy, you may want to secure the information submitted to Marketo securely over HTTPS.


Marketo tracks “Visited Web Page” and “Click Link on Web Page” over non-secure HTTP by default. Customers who wish to have their tracking links secured with their own secure certificate will require Marketo to build a separate non-shared server. Customers looking to secure all aspects of customer interaction will typically secure both landing pages and tracking links.



What packages does Marketo offer?

Marketo offerst the SSL Landing Page Security Package and the Tracking Link Security Package. Both packages are one-time provisions per instance of Marketo. For details on pricing information, please contact your Customer Account Manager.


Why does Marketo charge for these services?

To enable secure landing pages, Marketo has to set up and maintain a dedicated landing page server for each instance. Non-secure landing pages are served from a shared web server, which is not suitable for secure pages.


Why wasn’t this included in my subscription?

Not all customers require their landing pages to be hosted over secure communications. Sometimes a company has a policy change or IT policies are being enforced for secure communications.


How often do I need to budget for SSL Provisions?

The frequency of subsequent certificate updates will depend on the expiration date of the certificate. We recommending buying multiple years so that you can minimize the subsequent updates.


How do I figure out how many SSL packages I will need?

Every instance of Marketo (production, sandbox, etc.) will require a new certificate package. Here are some common examples:

  • 1 SSL package = info.mydomain.com certificate and one Marketo instance
  • 2 SSL packages = two certificate and two Marketo instances
  • 1 SSL package = multiple domain bundled under a SAN certificate and one Marketo instance


What do I need to provide Marketo to enable secure pages and links?

You will need to provide a secure certificate and your private key to Marketo.


Which Secure Certificate Provider vendor does Marketo recommend?

Marketo does not recommend any single provider, but the following SSL Providers are commonly used:

  • VeriSign
  • Thawte
  • Geotrust
  • Comodo
  • DigiCert
  • GoDaddy
  • Network Solutions
  • RapidSSL


These certificates are recognized by most web browsers. Certain premium certificates will also show the name in the URL bar (usually in a green bar). These are more expensive and it will take more time to issue those, because the SSL vendor will do more background checks before issuing such a certificate.


What term (1-year, 2-year, 5-year) certificate does Marketo recommend?

Marketo recommends clients purchase a certificate term they are comfortable with. If you anticipate a domain name change in the near future, a shorter term may be prudent. However, it will be more work and more cost to download a new certificate every year if no changes are anticipated.  We recommend using certificates that are valid at least 2 years, which is also usually cheaper per year.

Is a private key always needed?

Yes, a private key is required for every certificate.


Can SSL Landing Pages and non-SSL Landing Pages co-exist in an instance of Marketo?

No the cutover involves completely replacing the non-secure server with a secure server.


What impact should I expect with this change?

Switching landing pages to SSL may result in brief availability issues while in transition, when DNS information is modified to point to an SSL address, but landing pages are not converted yet. SSL is applied to all Marketo landing pages and cannot be applied selectively.


How can I minimize the impact of the change?

  1. Marketo and your technical personnel must agree on specific date and time for the change window. During that change window, we will provide conference information to communicate and coordinate progress.
  2. Reduce TTL value of DNS record for landing pages in your DNS domain. Recommended TTL value is 300 (5 minutes).
  3. Do not run mailing campaigns around the change window.


Steps During the Change Window?

  1. Marketo and your technical personnel will connect on a conference call.
  2. Your technical personnel will update the DNS record for landing pages
  3. Marketo will verify the new DNS values in our network.
  4. Marketo will update database and Marketo application settings to allow SSL conversion for landing pages.
  5. You will verify the new landing pages, send and verify test emails, and confirm that the conversion is completed.

What do you need to do after your SSL goes live?

There are a few simple steps for after the it goes live. You'll need to do the following things:

  • Re-approve all landing pages, which you can do in bulk by going to Design Studio, then clicking on “Landing Pages”. You can select multiple pages to approve or unapprove in the  “Landing Page Actions” menu.
  • It is also recommended to change all images, CSS files, JavaScript files and other external links in landing pages to HTTPS, otherwise users may get an “Insecure Content on Secure Pages” error. CSS files in particular will create formatting errors if not corrected. You can read more about that here: HTG Explains: What Exactly is a Mixed Content Warning?
  • If you include a Marketo landing page on a secure website using an iframe, you will need to load the secure version of the landing page, otherwise the end user will get a security warning.


Are there scripts to change all these links quickly?

You can engage Marketo professional services for a quote to help you with a cut over plan and possible build scripts to help with these change overs.


Is there any advantage to doing this in a sandbox before doing this in production?

No. Marketo sandbox and production are completely different configurations. One change to another server does not guarantee the other instance will be similar. Also, you may need separate domain names and certificates to avoid domain name collisions in sandbox and production configurations.


What if I still want to do this in a sandbox?

You can purchase another SSL Landing Page Security Package for your Marketo sandbox instance.


What happens when a customer visits the HTTP version of a landing page?

Anyone visiting the HTTP version of a Marketo landing page post-cutover will be redirected to the secure version.

What is the process for setting up Secure Landing Pages and why does it take 3 weeks?

Setting or altering a dedicated secure landing page server takes some time because there is a lot of back-end work involved. This work is done by one or several of our network engineers. We ask for 3 weeks to ensure that we can set a schedule with you and coordinate the time in our operations’ schedule that will minimize risk and the possibility for errors. When setting up or altering a certificate, Marketo must perform some or all of the following tasks:

  • Assign a new IP address for your new landing page server
  • Install or confirm a new load balancer
  • Reconfigure the internal DNS
  • Install the certificate.

Can Marketo install more than one certificate?

No, unfortunately this is not technically possible in our server architecture. If you need to secure multiple domains, you will need to provide us with a wildcard certificate for multiple subdomains (*.company.com) or a SAN Certificate (also called UCC certificate). With a SAN certificate, there can be multiple domains in a single certificate (they need to be full domains, wildcards can’t be used).


Do secure landing pages affect the CNAME for branded tracking links?

No, the CNAME entry for branded tracking links remains unchanged.

What Marketo configuration is required to complete the Landing Page SSL Setup?

One or more CNAMEs for the Marketo Landing Pages must be configured in the Admin section of the application as described here: Setup Steps - Marketo Docs - Product Docs


Will URLs to the existing non-secure Marketo Landing Pages continue to work?

Yes, the existing Marketo landing pages will be redirected to the secure pages. There are only few situations where you may have to manually update the URL, specifically when you include a Marketo landing page on a secure website using an iframe. You will need to load the secure version of the landing page, otherwise the end user will get a security warning.


Converting Marketo Landing Pages to SSL does not affect any pages on their main (non-Marketo) website.


Will the Munchkin JavaScript API also be encrypted via SSL?

Yes, calls to the Munchkin JavaScript API automatically switch to SSL if the page on which the calls are made is SSL encrypted.


Is Marketo enforcing HTTP String Transport Security (HSTS) for the site?

HSTS is important to mitigate SSL strips and other man-in-the-middle attacks. Clients who want to protect their site using HSTS need to also purchase SSL for branded tracking links. If using HSTS they will need the secured email links as well as SSL for landing pages.


The SSL for branded tracking links offering is intended to address the use case and requirement in which a policy is in place that requires the configuration of the corporate website to only accept requests via HTTPS.


Follow this link to get an explanation of HSTS: HTTP Strict Transport Security - Wikipedia, the free encyclopedia


Does a certificate with the primary site in the subject name and the alternate sites in the subject alternative name work instead of a wildcard cert?

Yes, we can work with a SAN certificate instead of a wildcard as long as all domain names are in a single certificate.