If you’re responsible for managing a HubSpot-hosted domain, you already understand the importance of protecting your visitors’ data and maintaining a secure, trustworthy experience. But when your company’s IT or compliance requirements go beyond HubSpot’s built-in SSL, things can get messy fast.
While HubSpot offers automatic SSL from trusted providers, some organizations need more control—especially those in regulated industries or with centralized IT policies. That’s when custom SSL becomes essential. Unfortunately, navigating the setup can mean lost hours, misfired DNS changes, or endless back-and-forth with your sysadmin team.
This guide walks you through exactly how to install a custom SSL certificate in HubSpot, step by step. You’ll learn what files you need, how certificate validation works, where to upload assets, and how to test your final setup. Plus, you’ll discover how to ensure long-term performance and security using HubSpot’s built-in tools.
Implementing Custom SSL Certificates for Enhanced Site Security
SSL (Secure Sockets Layer) certificates protect the flow of information between your HubSpot-hosted website and your visitors’ browsers. When set up correctly, they encrypt sensitive details—like form submissions, login info, and even search queries—so hackers and bots can’t intercept them.
By default, HubSpot issues SSL certificates from internal certificate authorities for domains hosted on its CMS Hub. This works fine for most businesses. But if you operate under a strict IT governance policy, or if your brand consolidates SSL certificate management across domains, you’ll likely need a custom SSL tied to your preferred certificate authority.
Inside HubSpot, SSL settings live under Settings > Domains & URLs > Domain Security. This is where you’ll manage your certificate files, monitor certificate health, and apply updates. However, uploading a custom SSL is only available with a CMS Hub Enterprise subscription.
When you configure a custom SSL certificate, HubSpot uses your files instead of auto-generating one. The encryption process stays completely under your control—from sourcing the certificate to managing its expiration and chain of trust.
How It Works Under the Hood
When you apply a custom SSL certificate in HubSpot, you’re replacing the platform’s automatic certificate for selected domains. Here’s a look at what’s happening behind the scenes:
- HubSpot first checks that you control the domain by verifying DNS records or CNAME configurations.
- You—or your IT lead—upload three required SSL assets: the Private Key, the Primary Certificate, and any Intermediate Certificates.
- HubSpot then encrypts those files, stores them securely, and updates the CDN to serve your site through the custom certificate.
- Once deployed, all traffic routed to that HubSpot-hosted domain travels through this secure pipeline.
Here’s what each file means:
- Private Key (.key): Generated before or during your CSR process. It must match the certificate exactly.
- Primary Certificate (.crt or .pem): This is the main SSL file issued by your Certificate Authority.
- Intermediate Certificates (.crt): These files complete the chain of trust from your certificate to the CA’s root. They’re optional—but highly recommended to avoid trust disruptions in browsers.
After upload and verification, HubSpot outputs:
- A functioning HTTPS connection visible in your browser
- A valid “Secure” icon tied to your selected Certificate Authority
- SSL status details are directly in your HubSpot domain settings
You can also add optional protections, such as HTTP-to-HTTPS redirects, HSTS policies, and expiration reminders.
Main Uses Inside HubSpot
Meeting corporate security policies
Many enterprise IT teams enforce a “single source” certificate policy. If that’s your scenario, using HubSpot’s default SSL can cause compliance gaps—especially if internal audits flag inconsistent CA issuers.
Say your company uses DigiCert for all public domains. Your marketing content in HubSpot should reflect that. Instead of relying on HubSpot’s built-in SSL, you can upload your internally issued certificate to stay aligned with proper security policies.
This keeps your marketing efforts compliant while letting your brand scale securely across web properties.
Securing gated content and portals
Any page that collects personal, academic, health, or financial data must comply with industry security regulations. If your portal hosts gated resources, forms, or applications, encryption isn’t optional—and your compliance officer will likely insist on proof.
Consider a university using HubSpot to register students for programs. They may require that all sites, including marketing microsites, use the university’s master certificate to maintain a consistent audit trail. Installing a custom SSL confirms ownership, simplifies renewal timelines, and passes audits with less friction.
Maintaining trust in custom domains
When visitors jump across your brand’s web properties, they expect a seamless—and secure—experience. But if one subdomain uses GoDaddy SSL and another uses Let’s Encrypt, trust can get shaky.
A custom SSL lets you keep the same issuer across all your HubSpot-hosted domains, even if they live on different subdomains. For instance, blog.company.com and resources.company.com can both show your corporate certificate instead of separate default ones.
It’s a subtle signal, but it reinforces credibility and consistency where it matters: the browser bar.
Common Setup Errors and Wrong Assumptions
Problem: Private Key doesn’t match your certificate.
This mismatch causes HubSpot to throw an error or reject the upload.
→ Always confirm pairing with a Certificate Authority check tool before submitting.
Problem: Skipping Intermediate Certificates.
This leads browsers to warn users about partial or broken security.
→ Include the full certificate chain in your upload, not just the main certificate.
Problem: Using an unsupported file type.
HubSpot only accepts PEM, CRT, or KEY formats.
→ Don’t upload PFX bundles or encrypted files—they’ll fail during processing.
Problem: DNS records are incomplete or incorrect.
Incorrect CNAME settings will block HubSpot from verifying your domain.
→ Confirm DNS is pointing to the correct HubSpot hostname before uploading your certificate.
Step-by-Step Setup or Use Guide
Before starting, confirm:
- You have a CMS Hub Enterprise subscription.
- You’re an admin in HubSpot.
- Your domain is connected and shows up under the domains settings.
- You have access to the Private Key and certificates from your IT/security team.
Then, follow these steps:
Step 1: Collect required SSL files.
Make sure you have the Private Key, the Primary Certificate, and any Intermediates copied in the appropriate formats.
Step 2: Log in to HubSpot.
Head to Settings, then go to Website > Domains & URLs.
Step 3: Find your domain.
Locate the connected domain where you want to apply the custom SSL. Click Domain Security.
Step 4: Upload your certificate.
Choose the option to “Upload custom SSL certificate.”
Step 5: Add your certificate assets.
You’ll paste or upload each file in its corresponding field. Double-check each entry.
Step 6: Validate and save.
HubSpot will automatically verify that the files match and are up to date. If validation passes, click Save.
Step 7: Wait for propagation.
Changes deploy across the CDN. This usually takes just a few minutes, depending on file size and server load.
Step 8: Test everything.
Open your site over HTTPS. You should see your custom CA and a “Secure” lock in the browser. Back in HubSpot, confirm that the SSL status shows as “Active.”
Measuring Results in HubSpot
Once installed, make sure your certificate is truly working—and that nothing breaks post-launch.
Key ways to validate:
- Check SSL status under Domains & URLs. This should show “Active” next to your domain.
- Track all traffic sources. Make sure every visit redirects to HTTPS. Enable “Force HTTPS” if not.
- Monitor site speed. Page performance should stay stable or improve thanks to CDN-level caching. No slowdowns.
- Watch for alerts. HubSpot flags expired certificates, missing intermediates, or other issues right in your dashboard.
- Verify analytics and conversions. Run full-funnel reports under Website Analytics to ensure HTTPS changes haven’t affected traffic or lead capture.
Quick review list:
- SSL is visibly active and set by your CA
- No mixed content errors across your domain
- HTTPS is used in 100% of tracked sessions
- No browser security warnings during external tests (try SSL Labs)
Short Example That Ties It Together
Say you’re part of an enterprise marketing team managing localized HubSpot landing pages. Your IT department supplies a GlobalSign SSL covering regional subdomains.
You receive the Private Key and matching certificates, log into HubSpot, and upload the assets under Domain Security. HubSpot verifies DNS ownership and activates the certificate within minutes. You confirm that all regional pages now redirect to HTTPS and show the correct certificate in browser tabs.
In monthly analytics reports, traffic holds steady. Your boss is happy. IT checks off security compliance. You’ve just bridged the gap between marketing agility and enterprise security.
How INSIDEA Helps
Setting up a custom SSL certificate in HubSpot isn’t something every marketer knows how to do—and truthfully, it shouldn’t eat up your time. That’s where INSIDEA comes in.
Our team partners with both marketers and IT leads to handle the full SSL rollout. From repointing DNS to formatting key files, we make sure your HubSpot-hosted domains meet security standards without disrupting performance or deployment timelines.
Here’s how we support you:
- HubSpot onboarding: Fast, secure setup of HubSpot properties the right way
- Ongoing management: Clean data, predictable automations, stable content delivery
- Custom SSL assistance: Upload, validate, and maintain your corporate-cert SSLs
- Data & CRM reporting: Keep teams aligned with real-time analytics that reflect your secure URLs
- Technical support: On-call guidance for DNS configurations or browser troubleshooting during audits
Need to get compliant, fast? Connect with our HubSpot advisors or check out INSIDEA’s HubSpot consulting services.
