CDDC Custom Certificate - Technical Guide
⚠️ Important: This option requires manual certificate management with increasingly strict renewal constraints. We strongly recommend migrating to Piano-managed to avoid service interruptions.
Critical constraints to know
Evolution of security standards:
March 2026: Maximum certificate duration reduced to 200 days.
2027: Maximum certificate duration reduced to 100 days.
2029: Maximum certificate duration reduced to 47 days.
Business impact
Service interruption if certificate expires, resulting in data loss during the downtime period.
💡 Recommendation: Migrate to Piano-managed to eliminate these risks.
Setup (9 steps)
Phase 1: Preparation (Client)
Step 1: Subdomain selection
Example: nox.yourdomain.com
Best practices:
Use a subdomain dedicated to analytics
Avoid generic subdomains (api, data, etc.)
Plan consistency with your domain strategy
Step 2: Provide CSR information
Send to Piano Analytics support:
Field | Example | Required |
|---|---|---|
Technical email | ✅ | |
Common Name | ✅ | |
Organization | Your Company | ✅ |
Department | IT Department | ❌ |
City | Paris | ✅ |
Region/State | Île-de-France | ✅ |
Country | FR | ✅ |
Phase 2: Piano Analytics Configuration
Step 3: CSR validation (Piano)
Our team validates the information and generates the secure CSR.
Security:
RSA 2048-bit private key (minimum)
No wildcard certificates (*)
Piano Analytics retains the private key
Step 4: Certificate purchase (Client)
Technical specifications:
Type: Domain Validated (DV) or Organization Validated (OV)
Duration: Minimum 9 months
Algorithm: RSA 2048 bits minimum
Format: PEM or PKCS#7
Step 5: Certificate import (Piano)
Transmission of the certificate and intermediate certificate to Piano Analytics for import into the Data Collection Portal. In return, Piano support will provide you with the alias.
Phase 3: DNS Configuration
Step 6: CNAME configuration (Client)
nox.yourdomain.com. IN CNAME xxx-at-o-dev-net-cddc.at-o.net.DNS alternatives:
CNAME (recommended): Simple redirection
NS delegation: Complete subdomain delegation
Step 7: Verification (Piano)
Our team verifies:
Correct DNS resolution
Phase 4: Validation
Step 8: Technical tests (Piano)
Data collection test
Step 9: Production deployment
Notification of CDDC availability.
🔧 Tagging configuration
Piano Analytics JavaScript SDK
// Basic configuration
pa.setConfiguration({
site: 123456, // Your site ID
collectDomain: 'nox.yourdomain.com',
})Other SDKs
iOS/Android: Update endpoint in configuration
Server-side: Modify API URL
Cookie management
Recommended configuration
In the case of an implementation using a CDDC, we then recommend staying with client-side cookies (default configuration) to have optimal lifespan.
⚠️ Security warning
Issue: Parent domain cookies are automatically transmitted to the subdomain.
Solutions:
Isolation: Use a dedicated domain for analytics
Audit: Verify that no sensitive cookies are on the parent domain
Certificate renewal
Generate a new CSR (Data Collection Portal interface)
Generate a new certificate
Transmit to Piano Analytics
Import and deployment
Technical validation
Migration to Piano-managed
Current problem | Piano-managed solution |
|---|---|
Renewal | ✅ Automatic |
Expiration risk | ✅ None |
Operational complexity | ✅ Zero-touch |
Migration process
Currently using a custom certificate (BYOC)? Migrate to Piano-managed in 2 clicks.
Migration process:
Access your CDDC in the Data Collection Portal
Click on "Switch to Piano-managed certificate" in the side menu
Confirm: Piano automatically generates the new certificate
No DNS change required: The alias remains identical
Duration: Instant migration, no service interruption.
Financial impact: Removal of custom certificate billing.
💡 Piano Analytics Advice: The market trend is moving towards increasingly strict certificate constraints. Piano-managed protects you from these evolutions and guarantees the continuity of your data collection.