Custom domains are the most-requested feature for any link management platform. Users want branded links like go.company.com/campaign instead of generic short URLs.
But behind the scenes, provisioning SSL certificates and routing traffic for custom domains is surprisingly complex. Here's how we do it at getowl.
The Challenge
For each custom domain, we need to:
- Provision an SSL/TLS certificate
- Validate domain ownership
- Attach the domain to our CDN (CloudFront)
- Route traffic through our redirect infrastructure
- Do all of this in under 2 minutes
Our Architecture
Step 1: Certificate Request (AWS ACM)
When a user adds a custom domain, we call AWS Certificate Manager (ACM) to request a certificate. ACM provides DNS validation records — CNAME entries the user adds to their DNS provider.
Step 2: DNS Validation
The user adds two DNS records:
- A CNAME for the validation record (proves ownership)
- A CNAME pointing their domain to our CloudFront distribution
Step 3: Certificate Issuance
ACM validates the DNS records and issues the certificate. This typically takes 5-30 minutes, but we poll every 30 seconds and notify the user as soon as it's ready.
Step 4: CloudFront Configuration
We use a single CloudFront distribution with multiple alternate domain names (CNAMEs). When a new certificate is issued, we:
- Create a combined certificate covering all active custom domains
- Update the CloudFront distribution with the new certificate
- Add the domain as an alternate CNAME
Step 5: Traffic Routing
Lambda@Edge handles the routing. When a request comes in for go.company.com/slug, it:
- Extracts the domain and slug
- Looks up
company.com#slugin DynamoDB - Redirects to the target URL
Scale
We currently process 400+ domain setups per week with this system. The median time from "add domain" to "first redirect" is 4 minutes — limited almost entirely by DNS propagation time.