Domain and SSL options

Recruitment Marketing Public


This article discusses the various domain scenarios the Recruitment Marketing platform supports. The module has been designed to install seamlessly into your existing infrastructure and domain structures.

However, due to the way that web cookies operate on the internet, there are a number of restrictions that apply if you want to track candidates across your web properties.

This document will use a fictitious company, Acme, with a domain of


The Recruitment Marketing platform requires an SSL on each domain it’s hosted on.


There are 3 available options, summarised below and in more detail further down the page.

Summary of domain options

  Domain example SSL Cert Required Candidate Tracking Content Heatmaps External Tracking Script
Default Supplied Yes Yes No
Dedicated Domain Supplied Yes Yes No
Sub-domain Supplied Yes Yes Yes

Default domain

Recruitment Marketing ships with a default domain of, so without any further configuration, Acme’s pages are available on

This default domain automatically has a wildcard SSL certificate available, so no further configuration is needed, and all pages are available only on https protocol.

Pages on this domain automatically track people and content heatmaps.

Career-pages was chosen as a non-Recruitment Marketing-branded generic domain. In general, customers prefer to use custom options.

Custom dedicated domain

Recruitment Marketing can be deployed to a custom dedicated domain in the format <domain>. For example, Acme might choose to deploy to

The SSL certificate is generated on your behalf, via Amazon Managed Certificates. More information on this process is detailed below.

This means that Recruitment Marketing landing pages would be available on URLs like

Note: An important limitation of this deployment option is that because there is a domain difference between and, the external tracking script will not be able to track candidates' behaviour between the domains.

Custom company sub-domain

Note: This is the most widely deployed and recommended option.

Recruitment Marketing can be deployed to a custom sub-domain in the format <subdomain>.<domain>. For example, Acme might choose to deploy to

The SSL certificate is generated on your behalf, via Amazon Managed Certificates. More information on this process is detailed below.

This means that Recruitment Marketing landing pages would be available on URLs like

In this configuration, because the Recruitment Marketing module is on a company sub-domain, the Recruitment Marketing External Tracking Script can be installed onto any other product within the company's domain, to track candidate behaviour between the sites and Recruitment Marketing.

For example, if Acme has product pages on and Recruitment Marketing on, they can track candidates who interact with both properties. This is because the Recruitment Marketing tracking cookie will be presented to all products with the tracking script on *

SSL Certificate

Automated SSL Certificate Generation and Renewal

This is the preferred method for managing SSL certificates within the Recruitment Marketing module. PageUp generates SSL certificates on your behalf via Amazon Web Services Managed Certificates. This is a simple process where your IT team creates a DNS entry that authorises Recruitment Marketing to then complete the process.

The benefits of this process is that Recruitment Marketing absorbs the cost of the certificate and the certificate renews automatically each year, as long as the DNS entry is still in place.

The steps involved are:

  1. Recruitment Marketing generates an SSL certificate and provides a DNS entry to the client.
  2. Your IT team adds a DNS entry which must be completed within 72 hours.

Following successful validation, your Recruitment Marketing representative will complete the necessary provisioning steps.

Manual SSL Certificate Generation and Renewal

Whilst the automated process described above is the preferred and recommended approach, you may find that your organisation's IT Security Policies prevent you from being able to utilise the automated approach.

In these rare occasions, it is possible for you to generate your own SSL certificate using the vendor of your choice, and upload that SSL certificate directly to your Recruitment Marketing site.

Where possible, this approach should be avoided for the following reasons:

  • Your SSL Certificate will not automatically renew.
  • You will need to manually track the expiry date of your SSL certificate.
  • You will need to generate a new certificate and ensure it is manually uploaded before the previous certificate expires.

If your manually generated and uploaded SSL certificate expires before a new certificate is uploaded, your careers site will become inaccessible to visitors.

For information on how to upload a manually generated certificate, refer to Managing Manually Generated SSL Certificates.


How are the certificates automatically renewed?

The generated certificates are valid for 12 months and will automatically renew for another 12 months provided the DNS entry remains active from the client's side. If the client revokes the DNS entry, the certificate will not renew automatically.

If 3 days pass after expiry without the DNS record being re-added, the certificate cannot be renewed.

Can I provide the certificate for Recruitment Marketing to host?

As noted above, whilst functionality exists to allow you to upload a manually generated certificate, this is not recommended and should be avoided if possible.

Are there any security concerns in allowing Recruitment Marketing to generate a certificate on our behalf?

By adding the DNS record, you are allowing Recruitment Marketing to create certificates for the domain that is named within the CNAME. This is by design to ensure a scalable way to manage all of our clients' SSL certificates.

Refer to AWS Certificate Manager (ACM) for more information.

PageUp uses AWS ACM to ensure that we can scale the provision and operation of SSL Certificates to all clients seamlessly.

ACM allows for quick provision, auto-renewal and no custom certs from multiple clients, suppliers and Certificate Authorities to manually manage.

Can we have both and 

This is not supported. 


The DNS record has been added, but the certificate fails to generate or renew.

If your certificate fails to generate even after you have validated that the DNS entry has been correctly added, it could be that your organisation has a Certification Authority Authorization (CAA) DNS record set up on either the sub-domain you are using for your career site, or on the parent domain.

A CAA record defines which certificate authorities may generate certificates on behalf of your domain and / or sub-domain. If a CAA record exists for your domain or sub-domain, it needs to include at least one of the following entries:





Once the CAA record has been updated, your certificate should successfully generate or renew.



Article is closed for comments.