What is an SSL?
SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication. The usage of SSL technology ensures that all data transmitted between the web server and browser remains encrypted. An SSL certificate is necessary to create SSL connection. You would need to give all details about the identity of your website and your company as and when you choose to activate SSL on your web server.
Where Can I get an SSL?
We offer an SSL here at Cozaq for sale. If you decide to purchase your SSL with us we will also install it for you.
What is SSL used for?
The SSL protocol is used by millions of online business to protect their customers, ensuring their online transactions remain confidential. A web page should use encryption when it expects users to submit confidential data, including personal information, passwords, or credit card details. All web browsers have the ability to interact with secured sites so long as the site's certificate is issued by a trusted CA.
Why do I need SSL certificate?
The internet has spawned new global business opportunities for enterprises conducting online commerce. However, that growth has also attracted fraudsters and cyber criminals who are ready to exploit any opportunity to steal consumer bank account numbers and card details. Any moderately skilled hacker can easily intercept and read the traffic unless the connection between a client (e.g. internet browser) and a web server is encrypted.
Most major web browsers display lock in the address bar and https:// for secure site that can be trusted.
Insecure sites do not have that lock and your visitors can see that the traffic going to and from your site is not encrypted.
What type of SSL do I need?
Single domain certificates allow you to secure one fully qualified domain name (FQDN).
Wildcard certificates secure a single domain and unlimited subdomains of that domain. For example, a wildcard certificate for '*.domain.com' could also be used to secure 'payments.domain.com', 'login.domain.com', 'anything-else.domain.com'
Multi-domain certificates allow website owners to secure multiple, distinct domains on a one certificate. For example, a single MDC can be used to secure domain-1.com, domain-2.com, domain-3.co.uk, domain-4.net and so on.
Extended Validation certificates provide the highest levels of security, trust and customer conversion for online businesses. Because of this, EV certificates contain a unique differentiator designed to clearly communicate the trustworthiness of the website to its visitors. Whenever somebody visits a website that uses an EV SSL, the address bar will turn green in major browsers such as Internet Explorer, Firefox and Chrome.
What is a Certificate Signing Request (CSR)?
The security provided by SSLs is all centered around trust. You are after all likely only interested in obtaining an SSL to provide a measure of security, and therefore trust, to the end users of your website or server. In order to trust your certificate, it must first be “signed” by an entity the end user’s computer already trusts, thus making your certificate trusted by association. The Certificate Signing Request is quite literally a request, to an SSL Issuer, to sign your SSL Certificate, and therefore providing validation that your server too should considered trustworthy.
The request itself must be generated on the server needing the SSL, and requires providing a bit of information. The order and exact wording of the information requested varies slightly depending on whether you are generating the CSR through a control panel or using direct commands through a CLI. Generally though, the information required includes most of the following:
- What domain needs securing?
- Common Name (CN) - examples: www.example.com, mail.example.com
This needs to be a fully qualified domain name (FQDN) and should match the host or website name you wish to be used publicly; ie: what you will want entered in the browser. If this value does NOT match, visitors may see a warning that the certificate does not match the site being visited.
- Common Name (CN) - examples: www.example.com, mail.example.com
- Who needs it?
- Organization (O) - example: Example Corporation, Inc.
This needs to be the full name of your organization including any applicable suffix (LTD, .Corp, Inc, LLC., etc).
Abbreviated names are not allowed. - Organizational Unit / Department (OU) - example: IT Department, Webmaster
This should name the unit within the organization that will manage the certificate.
- Organization (O) - example: Example Corporation, Inc.
- Where are you located?
- Country (C) - example: US, CA
This should be the two-letter code of the country where the organization is located.
A list of country codes is available at countrycode.org. - State/Province (S) - example: Ohio, Ontario
This should be the full and unabbreviated State where the organization is located.
(ie: New York, instead of NY) - City/Locality (L) - examples: Columbus, Ottawa
This should be the full and unabbreviated city where the organization is located.
(ie: New York, instead of NY or NY City)
- Country (C) - example: US, CA
- How can your organization be contacted with questions or concerns?
- Email Address (emailAddress) - example: webmaster@example.com
This field is optional for many SSL Issuers
- Email Address (emailAddress) - example: webmaster@example.com
- Password - most of the time you will leave this blank
While generally a password is no longer required for the CSR, some CSR generation tools still ask for one. This is what was previously referred to as the “Challenge Password” used as part of SSL Revocation. As this is no longer commonly used, it is generally recommended to simply leave this blank if prompted.
Note: This is different from a RSA passphrase, which is related to the generation of an encrypted private key.
How do I implement SSL on my website?
Implementing SSL for a website is quite easy! A typical installation of SSL certificate involves the following steps:
Step 1. Acquire SSL certificate
To implement SSL/TLS security on your website, you need to get and install a certificate from a trusted Certificate Authority (CA). A trusted CA will have its root certificates embedded in all major root store programs, meaning the certificate you purchase will be trusted by the internet browsers and mobile devices used by your website visitors.
A quick note:
Cozaq offers purchase of SSL Certificates through us for your convenience, and we are always happy to complete the entire process below on your behalf. If you choose us as your SSL Issuer, all we will need from you is the CSR Information detailed above, and then we will handle the rest!
Okay, now to explain the process. Obtaining a SSL Certificate involves creation of a number of files, in the correct order, containing the correct information, and must be created on the server being secured. The graphic below, and the explanation that follow, detail each set of files and what to do with them:
- Private Key ⇒ Security
You will need to generate a Private Key and Public Key pair on your server. These keys are tied together mathematically and whatever is encrypted with one key may only be decrypted by the other; that is why having an SSL installed provides security. For the purpose of obtaining a SSL Certificate, you will provide the Public Key to the SSL Issuer to sign your Certificate, and the Private Key will remain on your server. - Certificate Signing Request (CSR) ⇒ Trust
To facilitate the signing of your SSL Certificate, you will need to generate a Certificate Signing Request (CSR) providing your organization’s contact information to the signing SSL Issuer. The CSR will need to contain basic contact information for your organization and the domain name(s) you wish to secure. Depending on the SSL you are acquiring, you may need a separate CSR for each SSL, or in the case of wildcard or multi-domain SSLs you may be able to use a single CSR for all of them.
The explanation of everything a CSR is and entails is very detailed, so be sure to check back soon where we will provide a separate article explaining it in more detail. - The Request
Now that you have keys and a certificate request generated, it’s time to purchase your SSL. You will need to provide the SSL Issuer with the Public Key and CSR at the time of purchase.
Reminder: Do NOT provide the SSL Issuer the Private Key, as this is intended to only ever exist on your server. The only time you should consider providing anyone with your SSL Private Key is if you need to provide it to our support team to assist in installation. - Obtaining your SSL
Once your SSL provider is done generating your SSL Certificate, you should be provided with several files, usually in a ZIP archive for easier download. These files should include:- Your SSL Certificate (usually named yourdomain.crt or yourdomain.pem.
- One or more CA Bundle files (also known as “chain files”). These are files that provide “links” from your SSL to those further up the “certificate chain”.
Note: While your SSL will probably install into most Control Panels without these files, many browsers will not trust certificates that do not provide these files, so it is always better to install them.
These, along with the Private Key, are the files that comprise the SSL and that need to be installed on your server.
Step 2. Activate and install your SSL certificate
Reach out to the Cozaq Support team after you have obtained your SSL files and we will happily install the SSL for you. Don’t forget to have the Private Key, Certificate, and CA Bundle files available.
If you’d prefer to do this yourself, check back again soon as we intend to provide a set of How-To articles for most control panels and web service applications. We will update this section here with links to those articles when they become available.
Step 3. Update Website from HTTP to HTTPS
Your website is now capable of HTTPS! You must now configure your website so that visitors who access this site get automatically directed to the "HTTPS" version. Search engine providers like Google are now offering SEO benefits to SSL pages, so the effort to serve all pages on your site over HTTPS is well worth it.
To ensure all parts of your page are secured and served over HTTPS, your developer will need to update all links and referenced files from using http:// to https:// making sure to include CSS and Javascript files, as those are often overlooked. If you do not (or cannot) update all referenced URLs, please be aware that this may result in browsers providing additional warnings about insecure content (also referred to as having “Mixed Content”. Examples of this are provided below:
