eCDN Proxy Zone FAQ

Find answers to your eCDN proxy zone questions.

Proxy Zone and Legacy Zone

What is a CDN Proxy Zone?

A proxy zone is any new zone created in eCDN. The proxy zone name is translated by Business Manager. Customers don’t see the proxy zone name. A proxy zone has the following characteristics:
  • Ends with
  • Is only accessible from the CDN zones API
  • Is translated in Business Manager and not seen by customers

What is a legacy zone?

A legacy zone, also known as a root zone, is a zone that includes the customer domain name. For example,

How Do I determine if a zone is a root zone or a proxy zone?

In Business Manager, select Administration > Embedded CDN Settings and find the hostname. If the DNS CNAME starts with commcloud the zone is a proxy zone.

What problems does an eCDN Proxy Zone solve?

On which B2C Commerce instance can I configure eCDN managed certificates?

You can configure eCDN Managed certificates for development, staging, and production instances.

How do eCDN legacy and proxy zones work together?

Both legacy and proxy zones can exist only in different realms and Cloudflare accounts. For example, if you have a legacy zone for in account A, and also created the proxy zone for the hostname in account B. The zones can’t co-exist in the same realm and cloudflare account.

To route traffic to the hostnames, both the legacy and proxy zones require an SSL certificate. In a proxy zone you’re required to specify the hostname when uploading the certificate. In a legacy zone the SSL certificate only serves the hostname that matches the SAN in the uploaded certificate.

What happens if I have a legacy root zone and proxy zone for the same hostname?

An SSL certificate is required for any hostname serving traffic in the proxy zone. Configure the proxy zone with a hostname, for example, and a valid SSL certificate.

Traffic for the hostname requires a valid certificate in both the root zone ( and the SFCC eCDN proxy zone (ending in with the custom hostname
  • If the Root zone ( certificate, used to terminate the TLS for hostname, expires, it can’t serve the traffic.
  • If the proxy zone is missing the hostname, it can’t serve the traffic.

You can upload a valid SSL certificate or use an eCDN managed auto renewing certificate.

Is there a limit to the number of certificates installed for root zones and proxy zones?

Root or Legacy zones (, are limited to four custom certificate slots per realm, shared between Production, Development, and Staging.

Proxy zones support both self-manage custom and eCDN Managed auto renewing SSL certificates for any of your sites. You can use a combination of up to five self-managed SSL certificates or eCDN managed auto-renewing certificates per realm at no additional cost.

Additional certificates in legacy or proxy zones have a monthly subscription cost. New terms will be discussed with you during your next contract renewal cycle.

Can I switch from self-managed custom SSL certificates to eCDN managed certificates in Proxy Zones?

If you have self-managed custom certificates, issued by a certificate authority, in a proxy zone, you can configure SSL certificates for automatic renewal in any zone within the realm. You can also continue to upload SSL certificates for development, staging, and production instances.

You can switch to eCDN managed auto renewing certificates or self-managed custom SSL certificates anytime.

You can configure self-managed SSL certificates, issued by a certificate authority, in Business Manager or with the CDN-API. You can configure eCDN managed only with the CDN-API.

Note: eCDN managed auto-renewing certificates only support single custom hostname certificates. If you have self-managed custom wildcard certificates, you can continue to use them or create separate custom hostnames with eCDN managed certificates for the hostnames.

Can I use eCDN managed certificates in eCDN Legacy or Root Zones?

No, The eCDN managed certificates feature is only available in eCDN proxy zones. All legacy zones, for example, require a custom certificate. You can use Business Manager to upload and renew a certificate before it expires.

Rollout and Timeline Schedule

When is eCDN Proxy Zone for Business Manager available?>

All new zones created after B2C Commerce 22.8 release by default are proxy zones.

Can I configure eCDN managed certificates in eCDN Proxy Zones via Business Manager UI?

No, Business Manager doesn’t support configuring eCDN Managed certificates.

On-Boarding and Activation

How do I activate the eCDN Proxy Zone feature in Business Manager?

All merchants can create eCDN proxy zones. There are no additional steps required to activate or enable this feature.

Are there any requirements to qualify for the eCDN proxy zone?

There are no requirements to qualify for eCDN proxy zone.

How do I configure an eCDN proxy zone?

To create a Proxy Zone on the eCDN, use the self-service Embedded CDN Settings tool in Business Manager.
  1. In Business Manager, select Merchant Tools _SEO_ Aliases. Add the root domain ( and the subdomain ( to the Alias File.
  2. In Business Manager, select Administration > Sites > Embedded CDN Settings.
  3. Click Add Hostname.
  4. Locate the root domain you want to add as the Proxy Zone and click CreateZone.

    A progress message displays. The Proxy Zone is created on the Commerce Cloud Cloudflare account.

    Note: This step can take up to 24 hours. You can check back to get the status. 24 hours is the SLA Cloudflare set to activate the TXT record associated with the zone name.
  5. When the proxy zone is ready, the hostnames listed in the alias file are automatically populated under the proxy zone name.

What are the steps to add eCDN managed certificates to my storefront custom hostnames?

Use the CDN-API to add certificates.
  1. For each hostname, upload a certificate using the POST certificate endpoint with the hostname, certificate type automatic. See addCertificateForZone.
  2. Select Google or Lets Encrypt for the certificate Authority.
  3. Select TXT validation or HTTP validation.

What are the steps to switch from managed custom certificates to eCDN managed certificates?

Use the CDN-API to perform this switch
  1. For each hostname, upload a certificate using the PATCH certificate endpoint with the hostname, certificate type automatic. See updateCertificate.
  2. Select Google or Lets Encrypt for the certificate Authority.
  3. Select TXT validation or HTTP validation.

What are the steps to add SSL certificates to the merchant’s storefront hostnames?

Before completing these steps, use the Business manager Embedded CDN Settings to create a proxy zone. Add certificates to the hostnames secures storefront traffic.
  1. Under the Configure Zone settings, select the Crypto tab.
  2. Select the proxy zone you’re adding a certificate to.
  3. Click Add Certificate.
  4. Enter the certificate and private key information from your certificate provider.
  5. Select which hostnames to which you want to assign the certificate.
  6. Click Upload Certificate.
  7. Copy the displayed verification TXT information into your own DNS portal (Authoritative DNS).
  8. To check the status of hostname validation, click Verify HostName. Verification can take up to six hours.
  9. When the hostname is active, create a CNAME record that points traffic, to the new zone.
    Note: If you already have the same root domain with your DNS provider in a separate account, it’s required to point the DNS to the new zone and not the standard or root zone. The purpose is to prove intent that you want traffic to come to the new zone rather than the standard or root zone. With this approach, you’re responsible for uploading and managing your SSL certificates on Production and Development hostnames. Expired certificates are automatically removed from the B2C Commerce Platform.

Can I update an existing certificate with a new certificate that covers existing and new hostnames?

For an existing hostname with a certificate, you can use the update certificate option to update the certificate.

To change the hostname and add a hostname on a certificate.
  1. Add the new hostname to aliases then select Add Certificate.
  2. Add the certificate and private key.
  3. Select the hostnames (old and new) you want to update on the certificate.

If the hostname is removed from the merchant’s realm, does Salesforce remove a hostname from the SSL certificate?

No. if you removed a hostname from the alias file, Salesforce doesn't remove the hostname from a certificate.

Assuming I have a Cloudflare DNS, What DNS configuration changes do I make?

This is relevant only if you already have a root zone in cloudflare and are trying to route the traffic to the new proxy zone in Salesforce B2C Commerce. After creating the Proxy Zone, point the storefront hostname to the eCDN. Use these steps to map the DNS CNAME values in the Embedded CDN Settings to your Cloudflare account.
  1. Search for the proxy zone name and select it from the list.
  2. Under the DNS tab, locate the hostname that you want to map.
  3. Replace all text after ‘is an alias of’ with the DNS CNAME value provided from the Embedded CDN Settings.
  4. Click in the Status column until the tooltip DNS Only shows.
The storefront hostname is no live on the eCDN.

When do I update DNS changes on my Cloudflare Account to point to the eCDN?

Update your DNS settings on your Cloudflare account when you’re ready to go-live on your B2C Commerce production environment. To run tests before changing your production storefront hostname, you can update your DNS on your custom dev hostname.

Note: Don’t update the CNAME record until an SSL certificate has been installed in the Embedded CDN Settings tool.
X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.