What is SSL?
SSL stands for “Secure Sockets Layer.” It is a protocol for encrypting information that travels between a web server and a browser. The web server has two keys: A Private Key and a Public Key. Both keys are needed to un-encrypt any encrypted message. The public key is just that – public. When you purchase an SSL certificate, the Certification Authority will ask you for a CSR (Certificate Signing Request) in order to generate your certificate. The CSR is issued by your hosting company (if you’re on a shared server) and this contains the Public Key. After the Certification Authority generates a certificate, based on your CSR, and validates your other details, it will issue a certificate that is matched to your Private Key. A certificate contains:
domain name
company name
address
city
state
country
expiration date
identity of the Certification Authority that issued the certificate
When a browser attempts to access a site that is secure, it will check that the certificate has not expired, that the Certification Authority is trusted, and that the domain in the certificate matches the domain the user is trying to visit. If anything doesn’t match, the browser will typically flag the user with some kind of warning message or prevent the user from accessing the site. Ever seen something like this?
Why use an SSL Certificate?
This website has a great illustration that shows what information is available to various people every time your browser communicates with a server. Essentially, you need to use HTTPS to protect your data from being accessed by people who should not be able to see it, such as hackers, system administrators for your ISP (Internet Service Provider) or the NSA. When HTTPS is turned on it prevents sensitive information, such as a user’s data or password from being seen by anyone except for the site itself. The only things that an HTTPS connection will not mask are the URL of the site itself, and the location of the user. HTTPS essentially protects your data from anyone that you did not explicitly intend to share with. All websites with HTTPS security (and all sites in general) should have a privacy policy that explains which entities it will share data with.
When do you need an SSL Certificate?
If your site is storing sensitive information about customers and/or if your site processes financial transactions, you need a security certificate. If your site asks for any kind of credit card information, it definitely must be secured. If not, a security certificate is not necessary. As an aside, if you ever visit a website that asks for your credit card information and it does not say “https” in the URL, it is NOT safe to process the transaction and you should leave the site without entering payment information.
Where can you purchase an SSL Certificate?
You can purchase an SSL from a hosting company that also offers security services, such as GoDaddy. It is definitely easiest to set up a security certificate using the hosting company, if that choice is available to you, because the set up process is typically pretty seamless. If you use a hosting company, such as Rackspace Cloud, that does not have authority to issue certificates, you must purchase one from a third-party and install it.
The following websites are just a few of the available Certification Authorities:
GoDaddy
Symantec/VeriSign
GeoTrust
RapidSSL
GlobalSign
123-reg.co.uk
thawte.com
Here at Lucid, we typically use RapidSSL, but any of these Certification Authorities are trusted.
How do I purchase an SSL?
To get an SSL certificate, simply purchase one from a Certification Authority. The first portion of the purchase form is easy - the Authority will ask you for simple information such as:
domain name
technical contact info
company
address
etc
Eventually, you will need to prove that you are the owner of the domain in question, and thus have the right to purchase the certificate. This is where things can get tricky – The Certification Authority will do a Who-Is lookup for the domain to determine the identity of the registered domain owner on file. An email will then be sent to the email address on file, and this confirmation must be retrieved before the purchase is complete. This step can be difficult if you are unsure who owns the email address on file. Things can be further complicated if the domain is registered privately, in which case there is no way to look up the registered domain owner via the domain registrar.
How do I install and SSL?
Once it’s been purchased, the certificate must be installed on the website server. Installing typically will require a developer’s assistance. Simply provide the developer with the certificate (which is typically emailed to the technical contact along with the purchase receipt) by the Certification Authority, and the developer will install it from there. Instructions will vary by Certificate Issuer and hosting server, but if interested, visit this link to read instructions from RapidSSL Instructions typically vary for Microsoft IIS and TOMCAT users.
An experienced developer may also install a security certificate directly on a non-shared server. The steps for this are below:
1. Setup directory to store certificate
mkdir /etc/apache2/ssl/domain.com/
cd /etc/apache2/ssl/domain.com/
2. Generate new key: openssl genrsa -des3 -out www.domain.com.key 2048
3. Generate new CSR openssl req -new -key www.domain.com.key -out www.domain.com.csr
4. Submit CSR to SSL Certificate Registrar
5. Create certificate file and paste certificate key value: vim certificate.crt
6. Update Virtual Host file:
Add Listener for port 443: Port 443 is the port for HTTPS connections, so this needs to be open.
<VirtualHost *:443>
ServerAdmin admin@domain.com
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/
ErrorLog /var/www/domain.com/logs/error.log
CustomLog /var/www/domain.com/logs/access.log combined
SSLEngine On
SSLProtocol all
SSLCertificateFile /etc/apache2/ssl/domain.com/certificate.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain.com/www.domain.com.key
</VirtualHost>
7. Restart Apache and enter key passphrase if asked: sudo apachectl -k restart