SSL Guide

From Site5Wiki

Jump to: navigation, search
Previous (SSI)
Next (SVG)

Contents

What is SSL?

SSL stands for Secure Socket Layer and it is the method by which visitors can access your website securely. Virtually all business transactions online use SSL to encrypt data as it is sent between the browser's computer and the web server.

When a site is being accessed securely, a "lock" icon will generally appear in the browser's status bar. This indicates that the browser has made a connection to the web server and has verified the authenticity of the server via a trusted third party called a Certificate Authority. Certificate authorities are well-known companies that sell "certificates" which allow a web server to verify its authenticity, preventing a malicious third party from posing as a website that it is not.

Using the Site5 shared SSL certificate

All of our servers have a server-wide SSL certificate that can be used free of charge. This means you won't have to purchase your own SSL certificate from a third-party provider. You can use the Site5 shared SSL certificate by accessing your site at
https://server.site5.com/~user/page.file
where:

  • server is the server on which your site is hosted
  • user is your username for the SiteAdmin account for your site
  • page.file is the name of the file in your root directory that you want to access (you can also specify a subdirectory)

For example: https://dactyls.site5.com/~kgnuorg/ht/quickjoin.html will access securely the support page of kgnu.org: http://kgnu.org/ht/quickjoin.html

  • dactyls is the name of the server that hosts kgnu.org
  • kgnuorg is the account name (login)
  • /ht/quickjoin.html is the path to the membership page

You do not need to do anything unique with the files on your site. This just changes the way the pages are accessed.

Note that the URL of the page will start with site5.com, not yourdomain.tld. The visitor might find that to be disconcerting. If you want an URL that starts with yourdomain.tld, you need to install your own certificate (see below).

Note that references in the page must be relative, not absolute. For example:

  • OK: logo.gif (in the same directory as the page: will work for both the direct link and for the secure access)
  • OK: graphics/logo.gif (relative to the page: will work for both the direct link and for the secure access)
  • OK: ../graphics/logo.gif (relative to the directory that contains this page: will work for both)
  • Not OK: /graphics/logo.gif (relative to the home directory, which is different for the secure access that it was in the original page, so the image will not be found)

You cannot the server's security certificate to execute a script securely. Because the system user which accesses the file via the shared secure URL is the default system user ( netadmin ), the script in question can not properly be executed. The only way you could execute a script via secure URL is using a certificate tied to the account itself (see below). For example:

Using your own SSL certificate — Understanding SSL

SSL certificates each require their own IP address, and can't be used on the same IP as another SSL certificate.

How many certificates can I install on my Shared or MultiSite plan?

Non-reseller plans are given a single shared IP address for the entire account, additional IPs cannot be purchased for these types of plans. It is important to keep this in mind when purchasing an SSL certificate, since only one can be installed on each of these plans. There is also an installation fee of $15.00 for SSL certificates on these types of plans and your plan must offer a dedicated IP address (most Legacy Plans offer a dedicated IP address, our newer plans offer a dedicated IP through the add on of "+ Turbo").

I have a Reseller account, how does this differ from Shared or MultiSite plans?

Reseller plans allow for additional IPs to be purchased for SSL usage. When planning an SSL installation, it is important to remember that each SSL certificate used with sub-accounts will require a unique IP address. The easiest way to accomplish this is to submit the certificate, along with any intermediate certificates, rsa keys, etc. as required by the issuer, to customer support at the same time as requesting the private IP address, and both will be set up at the same time. There is no setup fee for this type of account, however, each additional IP address will be billed at $1.00/month.

Purchasing an SSL certificate

Site5 can not provide you with a signed SSL certificate. You will need to obtain one from a valid SSL certificate authority. There are a number of certificate authorities to choose from. Site5 servers currently makes use of certificates from Enterprise SSL.

Here are some other well known certificate authorities.

Whomever you decide to purchase your certificate from you will need to provide them with a certificate signing request (CSR) and a SSL KEY so that they can create a valid certificate for you. You can create a CSR and KEY from your SiteAdmin area under the advanced options. It is labeled as Private SSL Certificate, please note that all form fields are required when generating a CSR.

From this area you will need to enter some basic information regarding your identity.

  • Email address to send private key and CSR - This is the email address where you would like a copy of the generated CSR and KEY sent to.
  • Hostname for this certificate - This is the host name that your secure site will be accessed by. You should be aware that the host name used to access the site must match what is on the certificate exactly or your visitors will see a security warning when viewing the page. If you plan to have visitors access your secure site using www.domain.com you would need to include the www. portion of the address in this field.
  • Country (two letter code) - This is the two letter country code for the country where the organization that the certificate is being registered to is located. They are not always as they would seem (see: DigiCert's SSL country codes)
  • State - This is the FULL name of the state or providence where the organization that the certificate is being registered to is located. Abbreviations will not be accepted in this field. If you are located in California for example you must enter California in this field and not CA.
  • City - This is the name of the city where the organization that the certificate is being registered to is located.
  • Company name - This is the name of the organization that the certificate is being registered to.
  • Company division - This is the division or department of the organization that is responsible for this certificate. Common entries would be "Sales", "IT", or something similar.
  • Contact email address - This is the contact email address for the person(s) responsible for this certificate.
  • Verification password - This is the verification password for the certificate. You can choose any password you wish. Visitors to your secure site will not be required to enter this or any password.

Once you complete and submit this form your CSR and KEY will be generated, displayed, and a copy will be mailed to the address you provided in the first field.

Once you have obtained a SSL certificate from a certificate authority you can move on to installing your SSL certificate.

Installing an SSL certificate

It is important to remember that only technical support can install SSL certificates for you. Currently these cannot be installed through either Shared, MultiSite, or Reseller control panels. Once you have your certificate, submit the following in a ticket to technical support:

  • in a zipped file, attached to the message (site5 will not accept unzipped .crt file attachments) these files from the certifying agency (they all starts with:"-----BEGIN CERTIFICATE-----"):
    • certificate (CRT) (for example: yourdomain_com.crt)
    • intermediate certificate (for example: DigiCertCA.crt)
    • root certificate (for example: TrustedRoot.crt)
  • RSA key (KEY) form site5 (starts with: -----BEGIN RSA PRIVATE KEY----- )
  • your primary account
  • your account type (such as "shared")
  • the domain for which it will be installed
  • Your username
  • This statement: "I am aware of and will accept the applicable certificate installation charges"
  • If installing under a reseller account, confirm the charge for the dedicated IP address, if required.

Please note: As is the case in any situation where a website's IP address will change, if the requested SSL installation requires an IP address change, there may be a brief period of apparent downtime following the SSL installation.

I already have an SSL certificate installed, what if I need to install an updated/renewed one?

Updating an already installed SSL certificate is free for all account types. Simply submit the new certificate (CRT) and RSA key (KEY) along with any required account details in a ticket to technical support.

SSL Country Codes

SSL Country codes are not always the same as the well known two letter abbreviation for the country. You will need to be sure you are using the correct country code or the certificate authority will be unable to create the certificate for you.

DigiCert has compiled a list of all countries and the corresponding country codes used to generate SSL certificates. An alternative list, downloadable in .txt form, is available thanks to the University of California at Irvine.


Image:Tag_red.png Related wiki entries: HTTPS; SFTP; SSH; SSL

Retrieved from "http://wiki.site5.com/SSL_Guide"
Personal tools