Last modified: 12 Oct 2006
Control Panel Manual
Securing Transferred Data through SSL
SSL (Secure Sockets Layer protocol) is a standard for transmitting confidential data such as credit card numbers over the Internet. Most true business sites support this feature which allows more security in data transmitted over the WWW. This is the standard minimum security level for true business on the Internet. SSL works by using a private key to encrypt data that is transferred over the SSL connection. Read more on What SSL is.
SSL requires a dedicated IP, because name-based hosting does not support data encryption in HTTP requests.
You can secure transfer of the confidential data on your site through:
- buying and installing a permanent certificate in one step
- using the key and certificate you already have
- creating a temporary key and certificate
- acquiring a permanent certificate from a trusted Certificate Authority
- renewing permanent certificates
- renewing Comodo certificates
- using your provider's certificate (Shared SSL)
- errors and solutions
Buying And Installing a Permanent Certificate In One Step
(version 2.4.3 and up)
- If your hosting provider allowed it in the plan you chose to register under,
you can buy and install a permanent certificate directly from your CP. If
not, you can use certificate you already have
or create a temporary certificate and
then acquire a permanent certificate from
a trusted authority (InstantSSL
from Comodo CA or other authority). Later you can renew
your permanent certificate.
If your provider offers a Shared SSL certificate, you can use it instead of purchasing a certificate of your own.
To buy and install a permanent certificate directly from your CP:
- Select Domain info in the Domain Settings menu.
- Click the Edit icon in the Web Service field.
- Enable SSL for the domain in the list.
- One the page that appears, scroll down to SSL Support and choose
the option One step buy and install SLL certificate:
- Fill in the form with your contact data:
Where:
Type - select a desired type of SSL Certificate.
(version 2.5.1) If allowed by your plan, you can bundle TrustLogo &
CardPayments Logo with the certificate selected.
DUNS - provide your DUNS and company numbers in business listings, if you have any, to facilitate validation of your application. - Agree to charges if any.
- Once you have completed the above steps, a temporary certificate is
generated and the following message in your CP Web Options will show up:
Your SSL certificate has not arrived yet. - Your SSL vendor will then send you a permanent certificate confimation request.
- When your permanent certificate is approved which might take some time, it will be automatically installed on your domain.
Using the Key and Certificate You Already Have
To enable SSL, do the following:
- Select Domain info in the Domain Settings menu.
- Click the Edit icon in the Web Service field.
- Enable SSL for the domain in the list.
- One the page that appears, scroll down to SSL Support and choose the option Import SSL certificate.
- Agree to charges, if any.
- Enter the SSL Server Private Key and SSL Certificate in the boxes that
appear:
- In the Site Name field, choose whether you want to secure with or without the www prefix. Only one option will work correctly. For instance, if you choose to secure http://www.domain.com, your visitors will get security warnings when they go to http://domain.com.
- Click Submit. Now your site is secured.
Creating a Temporary Certificate
The only difference between temporary and permanent certificates is that temporary certificates are generated by your control panel, not trusted Certificate Authorities. Thus, when visitors enter your site, they will get the "unknown certification authority" warning window.
To generate a new temporary SSL private key and certificate, do the following:
- Select Domain info in the Domain Settings menu.
- Click the Edit icon in the Web Service field.
- Enable SSL for the domain in the list.
- Click the link at the top of the form that appears.
- Agree to charges, if any.
- One the page that appears, scroll down to SSL Support and choose
the option Generate self signed SSL certificate. On the page that
appears, confirm your details by clicking the Submit button:
These data will be used to generate the certificate. Don't make changes to the data if you are not sure about the purpose of these changes.
- Follow instructions that appear at the top of the next page.
- SSL Certificate Signing request. It includes the details that you submitted on the previous step. Use this request if you want to get a permanent SSL certificate from // a trusted Certificate Authority, such as Comodo Ca, Thawte or VeriSign (see below).
- SSL Server Private Key. This is the secret key to decrypt messages from your visitors. It must be stored in a secure place where it is inaccessible to others. Don't lose this key, you will need it if you get a permanent certificate.
- Temporary SSL Certificate. It validates your identity and confirms the public key to assure the visitors that they are communicating with your server, not any other party.
- Click Submit Query.
Acquiring a Permanent Certificate
To get a permanent certificate, do the following:
- Generate a temporary SSL certificate (see above).
- Copy the certificate signing request (CSR) and private key for later use.
- Go to Comodo
CA, or any other Certificate Authority and choose to get a new certificate.
When requested, enter the signing request that you have saved.
Important:When obtaining SSL certificate, make sure it is generated for Apache regardless of whether you inted to install it on windows or unix box. - After the permanent SSL Certificate has been generated, save it to a secure location.
- Select Domain info in the Domain Settings menu.
- Go to the Web Service page and click the Edit icon in the SSL field.
- Enter the certificate into the upper box of the form that opens ("Install
Certificate based on previously generated Certificate request"):
For COMODO.NET, enter the rootchain certificate (Certificate Chain File):
Note: The scheme of Acuiring a permanent Certificate by Windows plan users is changed temporarily to exclude Certificate Chain File field from the form!
For Equifax, also enter the Certificate Authority File:
- Click Upload.
- Now you can use the certificate jointly with the private key you have saved.
Renewing Permanent Certificates
If your certificate is about to expire, do the following:
- Find the certificate signing request (CSR) that you saved when acquiring the old certificate.
- Go to your certificate authority and choose to renew the certificate. When requested, enter the CSR.
- After the permanent SSL Certificate has been generated, save it to a secure location.
- Select Domain info in the Domain Settings menu.
- Go to the Web Service page and click the Edit icon next to the SSL Support.
- Enter the corresponding certificate into the box of the form that opens:
- Click Upload.
- Now you can use the certificate jointly with the private key you have saved.
Renewing Comodo SSL Certificate
(H-Sphere 2.5.1 Beta 3 and higher)Comodo SSL certificate can be renewed within 30 days to the expiry date. The new certificate will include the number of days before expiry since the renewal request.
You can't request certificate renewal more than 30 days before expiry.
To renew certificate:
- Go to Web Options in the Domain Settings menu and click Edit next to the chosen domain.
- On the page that appears, click Renew Certificate.
- On the page that appears you will see see the billing statement and
certificate owner info. To renew certificate, click Submit
- Once you've sent the renewal request, you'll be taken to the Web options page and will see the following:
Using Your Provider's SSL Certificate (Shared SSL)
If your provider offers a Shared SSL certificate, you can use it instead of purchasing a certificate of your own. Unlike a regular SSL certificate, it costs less, doesn't require a dedicated IP, and belongs to an equally trusted Certificate Authority. The disadvantage of shared SSL is that it can be used only with third level domains.
Shared SSL requires that your site runs on a shared IP.
To secure your site with Shared SSL, do the following:
- Select Domain info in the Domain Settings menu.
- Click the Edit icon in the Web Service field.
- Enable Shared SSL for the domain in the list.
- Agree to charges, if any.
- If you are using a second level domain (example.com), you will be asked to create a third level domain alias (e.g. domainalias.example.com):
Now the site is available both at the non-secured second level domain name (e.g. http://example.com) and at the secured third level domain alias (e.g. https://example.victor.psoft). Note that Shared SSL certificates work only within one domain level, i.e. for user1.example.com and not for www.user1.example.com. In the example above, the certificate will not work for www.example.victor.psoft, and your visitors will get the warning: "The name on the security certificate does not match the name of the site".
NOTE: When designing your pages set any internal links to images or frames as <a href='https://user.domain.com/images/example.jpg'> or simply <a href='/images/example.jpg'>. If you use the <a href='http://...> link, your visitors will get the message: "The page contains both secure and non-secure items". This isn't much of a problem in terms of security, since visitors may simply choose the "do not display non-secure items" option, but no graphics will be displayed.
Errors and Solutions
- Different key and certificate.
Your private key on the server doesn't match the certificate. This is probably because private key or CSR (certificate submission request) was re-generated after you ordered certificate. Take CSR and get replcaement certificate (InstantSSL has free re-issuance).