• Documentation
    • Search documentation
    karat

    +

    K

    API Reference ↗
    Management & enablementEnrollment settingsConfigure domains and certificates

    Configure domains and certificates [Beta]

    As of February 2025, this feature is only available for new customer managed domains. Any existing domains previously configured with support from Palantir will continue to require Palantir support.

    Users with permissions to edit custom domains and certificates (Enrollment administrators and Information Security Officers by default) can access Domains & certificates tab under Enrollment settings within Control Panel to create, edit, and delete custom domains and renew certificates.

    Custom domains and certificates configuration in Control Panel is a new feature and due to reasons of compliance and ongoing migrations, may not be available on certain enrollments. If the feature is not yet available in your enrollment, contact your Palantir representative for assistance.

    Domains and certificates settings.

    Create a new custom domain

    Creating a custom domain begins with creating a new certificate. Follow these steps:

    1. Generate a Certificate Signing Request (CSR):

      • Select the + Add button option in the custom domains table.
      • Enter the required details: Common name (CN), Organization (O), State (ST), and Organizational unit (OU).
      • Decide between a wildcard certificate and a regular certificate. If you choose a regular certificate, add the Subject Alternative Names (SANs) that the certificate should cover.
      • Once the CSR is generated, download the .pem CSR file. This CSR is used in the next step to obtain a signed certificate from a certificate authority (CA).

    2. Sign the certificate.

      Signing the certificate should be completed outside the platform. This can be done by many domain providers or through a registered CA. To ensure compatibility and security, the signed certificate must meet the following criteria:

      • The certificate must not be expiring within 30 days. If it is, renew the certificate before proceeding.
      • The certificate must be encoded in PEM format. PEM is a Base64 encoded format that is widely used and compatible with most systems.
      • The CN and SAN fields must exactly match those in the generated CSR.
      • The certificate must use the SHA256withRSA signing algorithm.
      • The certificate must be publicly trusted by major browsers. If you wish to use a certificate signed by a custom CA, contact Palantir Support for guidance.

    The process may vary based on the domain and method you choose to sign the certificate.

    1. Update Domain Name Server (DNS)

    To enable network connectivity to the custom domain, the DNS settings need to be updated in the domain registrar’s platform. This takes place outside the Palantir platform and the process will depend on the domain provider. Control Panel will display the domain that is required to create a CNAME record using a canonical domain.

    DNS settings.

    1. Upload the signed certificate
    • Once the previous steps are completed, upload the signed certificate into the form or select Continue setup.
    • The form will run validation checks on the signed certificate. If there are any issues, an error message will appear for which you may refer to common errors for guidance.
    • Upon successful validation, the CA and the expiry date of the signed certificate will be displayed as confirmation.

    Common errors

    • UntrustedCertificateAuthority: The certificate was signed by an untrusted CA.
    • UntrustedAlgorithm: The certificate was signed using an untrusted algorithm.
    • InvalidSignedCertificate: The signed certificate is invalid, or it does not match the CSR.
    • ShortExpiryForCertificate: The duration until certificate expiration is too short.

    Migrating to a new domain

    After uploading the signed certificate, you can choose to migrate settings from an existing domain to the new domain for convenience. The following automatic changes occur during migration:

    • The network ingress allowlist will be copied from the existing domain to the new one. You can make further modifications in the Network Ingress extension.
    • The new domain will be added to all Organizations currently using the existing domain. Further adjustments can be made in the Organization management section.
    • [Optional] Your new domain can be added to authentication providers. You can either add it to all auth providers or select specific ones.

    Migrating from an existing domain.

    To migrate from an existing domain:

    1. Follow the steps to Create a new domain.
    2. Select Yes on the migration screen.
    3. Select the existing domain from which you would like to copy settings.
    4. Decide if authentication providers using the old domain should be updated, and if yes, select the authentication providers you would like to update.
    5. Select Migrate.
    6. Follow the instructions to update your authentication providers. Your identity provider will have to be updated at the source and the process will depend on the type of identity provider (SAML or OIDC),
      • SAML: Download the metadata (in .xml) for each provider.
      • OIDC: Copy the redirect URLs for each provider.
    7. Once the identity providers have been updated, select Finish setup to mark the domain’s migration status as complete. You will be redirected to the domains list where you can see your new domain.

    Renew expiring certificates

    To renew expiring certificates, follow these steps:

    1. Navigate to the certificate list.
    2. Select Actions > Renew to initiate the certificate creation workflow, with the CSR form pre-populated with existing certificate details for convenience.
    3. Complete the steps from create a new custom domain to generate a certificate signing request and upload the signed certificate.
    4. After the upload is complete, you will be directed to a renewal page where you can replace an existing certificate. Select the desired certificate and Renew.
    5. You will be redirected back to the domains and certificates list where your renewed certificate will be visible.

    Create a new custom certificate

    The process for creating a new custom certificate mirrors that of creating a new custom domain. If no custom domain corresponding to the new certificate’s common name exists, a new one will be created, and the flow will automatically switch to the creation of a new custom domain.

    Edit the active certificate

    To edit the active certificate of a domain:

    1. Navigate to the domains list.
    2. Go to Actions > Edit active certificate to switch certificates.
    3. Select an eligible certificate to set as the active certificate for the custom domain.

    Edit active certificate

    Delete a domain

    To delete a domain, navigate to Actions > Edit active certificate. The domain must not be referenced by authentication providers, organization hosts, or have registered subdomain in the platform.

    Delete a domain.

    Glossary

    CSR = Certificate Signing Request CA = Certificate Authority SAML = Security Assertion Markup Language OIDC = OpenID Connect DNS = Domain Name Server

    Frequently asked questions

    The following section serves to answer frequently asked questions and will be updated in time.

    Can I change my Palantir-owned domain?

    No. The Palantir-owned domain provided with your enrollment is not modifiable in self-service. If you have an enterprise account and need to change your domain to another Palantir-owned domain, contact your Palantir representative.