58275: Acronis Cyber Cloud: Branding Web Console URL

Last update: 23-11-2021

Suppose that you want to make Acronis Cyber Cloud services available from your domain: cloud.example.com (in the guidelines below, replace cloud.example.com with your domain name). This feature is applicable to Acronis Cyber Cloud services.

Use cases:

  • For partners that want to make Acronis services available via their own domain, the option is provided to enable this functionality by providing a certificate to secure the traffic.  This document describes the process for a partner to enable branded URL with HTTPS enabled via TLS certificate provided by the partner.
  • For partners who already have a branded domain, which has a TLS certificate which is due to expire.  This guide will allow such partner user to upload a new certificate and change DNS settings to point to the new location, enabling self-managed certificates with expiry notifications.
Please make sure that the branding is enabled for the group id you wish to use for URL customization.
It is not possible to customize URL for each service separately (like backup.example.com and files.example.com). Each service will have an URL like: cloud.example.com/mc, cloud.example.com/bc, cloud.example.com/fc, cloud.example.com/notary
It is not possible to use the same DNS name for multiple groups.

Identify the required files

You will need the .PEM file to proceed, if you already have it, you may skip this step.

If the customer has not provided the .PEM file and instead of it you have  .PFX, .P12 or .PB7, follow the steps below the generate the .PEM file:

  1. If the customer has provided .pfx file, you can extract .pem from it using OpenSSL (for Windows or for Linux): 

    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

  2. If the customer provided .p12 file, you can extract .pem from it using OpenSSL (for Windows or for Linux): 

    openssl pkcs12 -in keyStore.p12 -out keyStore.pem -nodes

  3. If the customer provided .p7b file, you can convert it to .pem using OpenSSL (for Windows or for Linux): 

    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

  4. How to decrypt encrypted Private key:

    openssl rsa -in enc.key -out dec.key

    Enter pass phrase for enc.key:      -> Enter password and hit return

    writing RSA key

  5. If the customer has provided .crt +.key files, you can merge them into .pem:  create a single .pem file that contains the following: customer's certificate (should be first in the file), the private key for the certificate, and all the intermediate certificates, including the root certificate of the CA. No empty lines are allowed in the file.

     6. You may need to reconstruct the certificate chain, to do that:

  1. Open the .PEM file provided by the customer in text editor
  2. Copy everything EXCEPT the private key because this is confidential customer's info
  3. Paste output to https://tools.keycdn.com/certificate-chain (ensure to NOT PASTE THE PRIVATE KEY)
  4. Click COMPOSE
    If a valid thing is composed the tool will say so.
  5. Paste the new text back to the file with the Key.
  6. Save that as .PEM and re-try with the tool.

See also Frequently Used OpenSSL Commands.

Follow the steps below to set up URL branding using a special CLI tool:

Download the appropriate tool for your environment:

DNS Updates

1. Define a CNAME record to resolve the name cloud.example.com into the respective Acronis domain name.
Do one of the following depending on whether you have an account in only one Acronis data center or in multiple data centers.

  • You have an account in only one Acronis data center. This is a typical case.
    Set up a single CNAME record to resolve the name cloud.example.com into an Acronis domain name according to the data center where your account is located:

    cloud.example.com -> branded-<your_DC>-cloud.acronis.com

  • You have accounts in multiple Acronis data centers worldwide (meaning that Acronis has provided you with separate logins from different groups), and you want to use a single domain name to work with all of them. This case normally applies to larger service providers and to providers whose users are spread across continents.
    1. Set up the following CNAME record: cloud.example.comcloud.acronis.com.
    2. In addition, set up CNAME records for each Acronis data center where you have an account, as follows:

      cloud.example.com -> branded-<your_DC>-cloud.acronis.com

Generate TLS certificates

2. Create a Certificate Sign Request for an SSL certificate for the domain name (or names) that you created in the previous step. As a security best practice, we recommend that you request a certificate for those names only; to do this, specify each name (such as cloud.example.com) in the Subject Alt Name field of the request. Alternatively, you can request a wildcard certificate (that is, a certificate whose Common Name is *.example.com).

Upload certificate

The branding tool is not compatible with 2FA. Please disable 2FA temporarily, apply branding, then re-enable 2FA. Alternatively, you can temporarily switch your account to a service account (as described in product documentation)

3. To set a certificate and key, you need the following information:

  • Your username
  • Your password
  • The tenant ID of a partner group with branding enabled (see How to find Tenant ID)
  • A file containing the certificate you want to upload (absolute or relative path)
  • A file containing the key you want to upload (absolute or relative path)

For example, given a username ("Login" in GUI) of "JohnDoe", a tenantID of "11111111-22222222-3333-444444444444", a certificate file: "cert.pem", a key file: "myKey.key", and a cname of "example.com", the tool is run by invoking the command below in the command line:

branding-cli set -u JohnDoe -tenantID 11111111-22222222-3333-444444444444 -cert cert.pem -key myKey.key -cname example.com

There will be some delay (approximately 5 minutes) before the certificate is applied.

4. After the certificate is uploaded, ask your DNS registrar to set up a CNAME record to resolve the name cloud.example.com into the respective Acronis domain name, specified in step 1. It is possible to run the cli tool with the verification option, “-verifySuccess=true” before moving DNS entries to ensure that certificate has been successfully applied.

Delete Certificate

You can only delete certificates uploaded using this tool, it will not delete "old method" certificates.

To delete a certificate you need the following information:

  • Your username
  • Your password
  • The tenant ID (of a partner group with branding enabled) to delete the certificate from

For example, given a username ("Login" in GUI) of "JohnDoe", and a tenantID of "11111111-22222222-3333-444444444444" The tool would be run as follows:

branding-cli delete -u JohnDoe -tenantID 11111111-22222222-3333-444444444444

The tool will prompt you for your password.

More information

In case CLI tool does not work, then Contact Acronis Support to:

  • fix CLI tool ( make sure to provide CLI command attempt outcome)
  • use old URL branding procedure as described below (apply workaround)