Activating Incapsula with SSL Protection

Created at:

Many of Incapsula’s customers use the secure HTTPS protocol on their websites so that their sessions are encrypted and their users’ data is protected. To do so, the customer must first receive an SSL (Secure Sockets Layer) certificate from a CA (Certificate Authority).

When a customer uses Incapsula’s web security features, end users connect to Incapsula servers, and their messages are relayed from Incapsula to the customer site. Therefore, to maintain SSL protection along the entire chain of communication, both Incapsula servers and customer servers must have SSL certificates. Incapsula servers use the customer’s SSL key when communicating with customer servers.

To protect the link between the end users and Incapsula servers, there are two options:

  • Incapsula provides a new SSL certificate for the customer, issued by its CA. This is the more commonly-used option.
  • Incapsula uses the customer’s own SSL certificate, issued by the customer’s chosen CA, to encrypt communications with the end users. In this case, the customer must provide Incapsula with its private key, via a secure portal. Sites with stricter EV (Extended Validation) certificates usually choose this option.

Important Notes:

  • Free plan customers are not eligible for SSL Support. For more information please check our "Pricing and Plans" page.

  • Incapsula must issue a certificate for the second option as well, in order to provide service to users whose browser doesn’t support SNI. (These are mostly older versions of Internet Explorer, or any IE version running on Windows XP). 

  • SSL certificates issued by Incapsula are provided at no extra cost.



Registering a Site with SSL Protection


When you register your site as an Incapsula customer site, using the Incapsula web interface, your site is automatically identified as using the HTTPS protocol. The registration wizard will then guide you through the following steps:

  1. Validate your domain ownership either by clicking a link sent via email, or by adding a specific text record to your DNS zone file.

  2. After your site is validated, Incapsula requests that a new SSL certificate be generated for your site. This is usually completed within a minute or two.

Important Notes:

  • At any stage during the registration procedure, you can click the button. If you choose this option, communications between your end users and Incapsula, and between Incapsula and your site, will not be encrypted. This is not recommended for sites that have SSL protection. 

  • If you want Incapsula to use your own SSL certificate, follow the instructions described in this link.


Registration Procedure

To register a site with SSL protection:

  1. Add the site using Incapsula’s “Add Site” wizard. After you enter the site’s URL, Incapsula scans your site details, including identifying SSL protection. If Incapsula detects that your site uses the HTTPS protocol, you will see the “HTTPS” value in the Detecting HTTP/HTTPS field, as in the image below.

  2.  Click . The following diagram is displayed, illustrating how SSL protection works along the chain of communication to your site.

  3.  To request Incapsula to issue you a new SSL certificate, click  The site validation page is displayed.

  4. There are 2 validation methods: 

    1. To validate your site by adding a DNS record:

  • Click the  option on the left (this is selected by default).
  • Copy the string in the Value field in the table on the right, and add it as a text record to your DNS zone file.

  • Click . Incapsula verifies that the text record has been added.
  • Go to step 6 of this procedure.

           2. To validate your site by email:

  • Click the  option on the left. The following page is displayed.
  •  The address dropdown is populated with all the email addresses registered for your site with the Whois lookup service. You can click to send test emails to all the addresses listed, so that you can check the ones to which you have access. (The test emails do not contain a validation link.)
  •  Select the email address to which you want Incapsula to send a validation link. The button is enabled.

  • Click the  button. Incapsula sends the validation email to this selected address.
  • Open the email you received and click on the validation link.

5. After your site has been validated, Incapsula starts the process for issuing a new SSL
certificate for your site.

6. If for any reason the issuing of the new SSL certificate is not completed promptly, you may see the following message, and will receive an email notification when the certificate is issued.

7. Otherwise, when the process is complete, the following message is displayed, indicating that the certificate was issued successfully.

For existing sites:

1. Enter to Sites -> Settings -> General

2. Click Configure and choose the required email address. The address dropdown is populated with all the email addresses registered for your site with the Whois lookup service. 

3. The certificate status will be changed and Incapsula will send the validation email to the selected address.

4.Open the email you received and click on the validation link. ( For full domains you should receive 2 emails, for the naked domain + wildcard).

Important Note: If you would like to use the DNS validation method, please contact support. 



Was this article helpful?
2 out of 6 found this helpful
Have more questions? Submit a request


  • Avatar

    Step 1 is for adding a new site. What about an existing site?

    Edited by Bill
  • Avatar

    I'd also like to see a version of this for existing sites. For instance, I see you can add via email auth, but I want to use DNS auth that is presented as an option during initial setup.

  • Avatar

    It's rather frustrating that I'm finding this blog entry for the same reason I left a comment about this last December nearly 8 months ago. I have a client that isn't getting the email for validation and I'd like to just use the TXT entry but there's no way to get that once the initial option has been selected for email auth. Please consider paying this request (from multiple customers) some attention. Thank you.

  • Avatar

    I'd like to echo Dylan here.

    We are also stuck in the same predicament: We have an existing site we are trying to activate an Incapsula generated certificate for. The only option is email authentication, but we never "receive two emails from GlobalSign (the certificate authority that issues SSL certificates for domains on our service)."

    Please add DNS validation as an option for existing sites trying to add SSL support.

Powered by Zendesk