Custom HelioCampus Assessment URL SSL/TLS Management

Why we use automated certificates

Public TLS rules are strict (short certificate lifetimes, strong validation, evolving browser trust). Manual certificate procurement and renewal adds IT work and renewal risk. For custom Assessment hostnames (vanity URLs), HelioCampus manages issuance, renewal, validation, and deployment so your team does not need to buy or renew those certificates.

How this works (high level)

Your application URL points at our infrastructure via DNS. Certificate authorities (CAs)—organizations trusted to issue TLS/SSL certificates for public use—require proof of control of your application URL at validation time—not that the applicant is the domain registrant. We use standard methods (e.g. ACME HTTP-01): the CA requests a token under /.well-known/acme-challenge/ on your subdomain; our systems answer it; the CA can then issue for that name. This pattern is normal for SaaS custom domains and aligns with public CA practice.

We use Let’s Encrypt for automated issuance and renewals.

CAA records — DNS check during onboarding

CAA (Certificate Authority Authorization) records are optional. Many domains have no CAA records at all; that is normal, and no action is required unless your organization chooses to publish them.

If you do use CAA, those records must allow Let’s Encrypt or certificate issuance will fail until DNS is updated.

How to check for CAA records: use a CAA lookup tool (e.g. nslookup.io CAA lookup), enter your institution’s apex domain (e.g. institution.edu) in the lookup field, and run the search. Use the results with the table below.

If you must add Let’s Encrypt, use a record like:

0 issue "letsencrypt.org"

Add it at the apex or on the exact subdomain used for the app (e.g. assessment.institution.edu), per your DNS or security team’s policy.

Tip: Share this CAA guidance with whoever owns DNS or security operations early in implementation so records are correct before your vanity URL goes live.