TBC Hosting

SSL (Secure Sockets Layer) is a great way of securing a website, as it allows you to send the data between your web site and your visitors securely. There are also SSL Certificates that prove your identity to the users of your website.

Introduction to SSL

What SSL does to secure your website? It provides two very important features, which are encryption and authentication:

Encryption is when the data sent between your web site and visitors are unreadable by others. When a user visits your site while using an SSL connection (URLs that begin with https://), the webserver and web browser send each other encrypted information. Unencrypted web transactions that are not secured, transmitted as plaintext, and are subject to eavesdropping.
Authentication means visitors can be assured that you are who you claim to be. When users access your site using an SSL connection, they are confident that they are seeing your website, and not an impostor's. Encryption helps protect data, but authentication helps to prove your identity to others.

Most browsers show a lock icon when a user goes to an SSL-encrypted website. If you want to enable SSL for your website, you first have to get and install the certificate.

Does my website need an SSL certificate?

Your website needs an SSL certificate if it has personal data or payment-related information on it. Also, if you have a register/login system on your website, where visitors put their passwords in, this kind of information also should be SSL-encrypted.

How do I obtain an SSL certificate?

There are several websites and online services that can provide you with an SSL certificate:

With this method, you first order an SSL certificate, you provide basic information (domain, name, address, and so on) that is used to generate the SSL certificate. You then receive an e-mail message that contains the SSL certificate you install on your web site.
The best way to get an SSL certificate is to get it from a recognized Certificate Authority like Sectigo. It is free, open to everyone, and recognized by most browsers Certificate Authority. Sectigo is automated and very easy to work with.
As an option, you can also get an SSL certificate from a third-party provider. In order to do so, you first have to create a CSR (Certificate Signing Request). Then, the provider will use this request to generate an SSL certificate. You can easily install it to your website, once you receive the certificate from the provider.
Some website owners use self-signed certificates. In this case, your website will have encryption, but no authentication. Your visitors may then receive messages from their browsers, warning them when they try to access any part of your website. Usually, website owners only use a self-signed certificate when testing or developing their website.
In case you have a shared hosting account, you can use the server's shared SSL certificate to secure your site. Although the https:// URL will not represent your domain name. Instead, it will show something like https://username-www50.ssl.supercp.com, where username means your account username.

Installing a third-party SSL certificate

In case you want to get your SSL certificate from a third-party provider, here are the steps of purchasing and installing the certificate:

First of all, generate a private key.
Use the private key plus some identifying information to generate a Certificate Signing Request (CSR).
Send the Certificate Signing Request to the certificate authority.
Complete one or more steps for confirmation and identification as determined by the Certificate Authority.
Install the certificate provided by the certificate authority along with the Certificate Authority bundle if one is provided.

If you have already purchased an SSL certificate for your domain from a different provider, you will only need to go through the last step in the list above. Remember, that you have to have a private key to make a successful installation of the certificate.

How to Redirect Visitors to SSL Version of Your Website

Your users may sometimes type in a non-secure URL in their web browser. In this case, you might need to redirect them to a safe URL. The information here applies to Linux servers using Apache or Apache compatible web servers, as well as to Windows and Managed WordPress servers.

Redirecting visitors to SSL- enabled connections (for Linux servers using Apache or Apache compatible webserver)

If you need to make sure that your visitors are using a secure connection on your website, use Apache rewrite rules in a custom .htaccess file.

If you use the rewrite rules in an .htaccess file in the web site's root directory, all requests will be redirected to HTTPS connections. Alternatively, you can modify the rewrite rules in a specific directory's .htaccess file to limit redirection to files in that directory.

Add the following lines to the desired .htaccess file to redirect users from a non-secure URL (http://) to a secure URL (https://):

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirecting visitors to SSL- enabled connections (for Windows and Managed WordPress servers)

If you need to make sure that your visitors are using a secure connection on your website, follow the steps below:

Log in to Plesk.
In the left sidebar, click Websites & Domains.
Locate the domain you want to configure, and then click Hosting Setting.
Under Security, select the SSL/TLS support and Permanent SEO-safe 301 redirect from HTTP to HTTPS checkboxes:
- SSL/TLS support
- Permanent SEO-safe 301 redirect from HTTP to HTTPS
In the Certificate list box, select the SSL certificate that you want to use for the site.
Click OK. Your site now uses a secure connection for all web page requests.

How to Use WWW and Non-WWW Domains with SSL Certificate

The information here applies to Linux servers using Apache or Apache compatible web servers, as well as to Windows and Managed WordPress servers.

Using www and non-www domains with an SSL certificate (for Linux servers using Apache or Apache compatible web servers)

Most third-party SSL certificates are only used for one specific domain. For this reason, web site owners often set up an SSL certificate for the www subdomain. However, this means that visitors to the site may receive a security warning if they go to example.com without the www prefix.

Of course, you want the users of your website to be able to always use an SSL connection, regardless of whether they go to example.com without the www prefix, or with. To enable this functionality, you can use Apache rewrite rules in a custom .htaccess file.

The following guide demonstrates how to redirect visitors who enter a domain name without the www prefix to a secure connection. With these settings enabled on your web site, visitors who go to example.com or www.example.com (where example.com represents your domain) both obtain an SSL connection:

RewriteEngine on

RewriteCond %{HTTPS} on

RewriteCond %{HTTP_HOST} !^www\.

RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

Using www and non-www domains with an SSL certificate (for Windows and Managed WordPress servers)

Log in to Plesk.
In the left sidebar, click Websites & Domains.
Locate the domain you want to configure, and then click Hosting Setting.
Under Security, select the SSL/TLS support and Permanent SEO-safe 301 redirect from HTTP to HTTPS checkboxes:
- SSL/TLS support
- Permanent SEO-safe 301 redirect from HTTP to HTTPS
In the Certificate list box, select the SSL certificate that you want to use for the site.
Click OK. Your site now uses a secure connection for all web page requests.

How to generate private key and CSR from the command line

If you want to obtain an SSL certificate for a system that does not include cPanel access, please follow the instructions below:

Log in to your account using SSH.
At the command prompt, type the following command:
- openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
At the Country Name prompt, type the two-letter country code for your location, and then press Enter.
At the State or Province Name prompt, type the appropriate response for your location, and then press Enter.
At the Locality Name prompt, type the town or city name for your location, and then press Enter.
At the Organization Name prompt, type your company or organization name, and then press Enter.
At the Organizational Unit Name prompt, type the appropriate response for your organization, and then press Enter. Alternatively, to leave this field blank, just press Enter.
At the Common Name prompt, type the domain name that you want to secure with the SSL certificate, and then press Enter.
At the Email Address prompt, type the e-mail address that you want to associate with the certificate, and then press Enter.
At the Challenge password prompt, press Enter.
At the Optional company name prompt, press Enter.
OpenSSL generates private key and CSR files. If you typed the command in step 2 exactly as shown, the files are named server.key and server.csr. You can now send the text to the server.csr file to the signing authority to obtain your certificate. (Do not send the information in your private key!)

How to Fix Mixing Of Secure & Insecure Web Page Content

When visitors of your website request a page using a secure https:// connection, a broken padlock icon may appear in the web browser's location bar. Additionally, they may receive a warning message in their browser, which is the following:

Mozilla Firefox displays:

“The connection to this website is not fully secure because it contains unencrypted elements (such as images).”

Microsoft Internet Explorer displays:

“Do you want to view only the webpage content that was delivered securely?

This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.”

Google Chrome displays:

“Your connection to example.com is encrypted with 256-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.”

Websites with hyperlinks to unsecured elements and pages usually have this problem. For example, if the visitor is trying to request a secured page with an image or any other media that is not secured, a warning message will pop up. This problem can occur with any type of hyperlinked resource file: a JavaScript library, a CSS file, etc.

There is a couple of ways of resolving this issue. Below we provided two methods that will help you with this problem.

Method #1: Send a Content-Security-Policy response header directly from the webserver

To resolve this problem, you can send a Content-Security-Policy HTTP response header. This header instructs web browsers to upgrade insecure requests to HTTPS.

For Apache web servers on Linux, add the following lines to the .htaccess file (or files) that you use on your website:

Header always set Content-Security-Policy "upgrade-insecure-requests;"

</IfModule>

For IIS web servers on Windows, in IIS Manager use the HTTP Response Headers tool to add the following custom header:

Name: Content-Security-Policy

Value: upgrade-insecure-requests.

Method #2: Send a Content-Security-Policy directive from page source files

Alternatively, you can use the following meta tag in the source files of your site pages:

How to install SSL certificate site seal

An SSL certificate site seal is a small image file you can display on your site that assures visitors that connections are secure. Below we explain how you can install different seals on your site.

Sectigo SSL certificates

You can add a Sectigo certificate site seal to your web site in case you bought an SSL certificate from them. Follow the instructions below to do so:

Use your web browser to visit https://sectigo.com/trust-seal.
Under Step 1, select the type of certificate you purchased from the Select Certificate Type list box.
Under Step 2, select the desired image size using the Sectigo Trust Seal radio buttons.
Under Step 3, copy the automatically generated HTML using the Copy to Clipboard link, and then paste it into your web site pages.

RapidSSL SSL certificates

You can add a RapidSSL certificate site seal to your web site in case you bought an SSL certificate from them. Follow the instructions below to do so:

Use your web browser to visit https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO14424.
Under Resolution, follow the step-by-step instructions to install the seal on your site.

Symantec SSL certificates

You can add a Symantec certificate site seal to your web site in case you bought an SSL certificate from them. Follow the instructions below to do so:

Use your web browser to visit http://www.symantec.com/ssl/seal-agreement/install.jsp.
Under Choose Your Seal, select the language, size, display format, and website URL for your seal.
Under Create Your Seal Script, click I accept. Create script.
Copy the automatically generated HTML, and then paste it into your web site pages.

What Is a Server Name Indication?

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol that enables servers to use multiple SSL certificates on one IP address. So what it does is:

As the number of available IPv4 addresses becomes smaller and smaller, the remaining addresses can be allocated more efficiently.
In most cases, you can run an SSL-enabled site without having to purchase a dedicated IP address.

How to determine OpenSSL version

You may need to verify which OpenSSL version is installed on a server. This is usually done to check if the particular features are available or check if the installed version has a security issue.

If you need to check which OpenSSL version is installed on a Linux server, you should first of all log in to your account with SSH, after you need to type the following command in:

openssl version

It is the same command for Windows servers too. If you have a Windows server and you have access to the Windows desktop for your server, use these instructions:

Click the Windows Start button and type cmd into the search text box. Press Enter or click on the Command Prompt application to open your Windows command line.
Type openssl version and press Enter.

How to secure an unmanaged server with a Let's Encrypt SSL certificate

If you need to install an SSL certificate on an unmanaged server, you can use Let’s Encrypt SSL certificate.

Generating and installing an SSL certificate

On an unmanaged server, you can use the command line to generate and install an SSL certificate. There are a lot of client applications that allow you to do this for Let's Encrypt. However, Let's Encrypt recommends the Certbot client.

Certbot is very easy in use; it supports a wide range of web servers and operating systems. To get started with Certbot, use your web browser to go to https://certbot.eff.org. Then you have to select your web server and operating system. After you’ve selected them, follow the customized instructions for your configuration.

Let's Encrypt SSL vs. Traditional CA-issued Certificates

Let’s Encrypt is designed to encrypt as much World Wide Web traffic as possible. With it, the process of creation and installation of an SSL certificate is maximally simple and can be done within few minutes. And although Let’s encrypt does provide quality encryption, it may not give you some of the benefits that a traditional CA-issues certificate would. Those include:

Extended validity: Let's Encrypt SSL certificates are only valid for 90 days and must be renewed every time after this period finishes. Most traditional SSL certificates are valid for at least one year, with the option of longer validity periods (for example, three years), so they don’t need to be changed as frequently.
Warranty: Let's Encrypt certificates do not include a warranty, whereas traditional SSL certificates usually do.
Support: Let's Encrypt SSL does not have staff available to assist with creating or installing SSL certificates. This can be an issue for professionals and business owners who must quickly get a site configured and working. For example, GlobalSign has a network of trained personnel who provide support through online ticketing, chat, and telephone.
Customer vetting: Let's Encrypt SSL uses basic domain-based vetting (the ACME protocol) to issue SSL certificates. Traditional CA providers use additional vetting procedures to help verify that customers actually are who they claim to be.
SSL certificate options: Let's Encrypt SSL only offers domain-validated certificates (DV). If you need the extra security of an extended validation certificate (EV) for your site, you must purchase one from a traditional CA provider. Additionally, Let's Encrypt SSL does not offer wildcard or multi-domain certificates.

How to manage HTTP Strict Transport Security (HSTS) for your site

HTTP Strict Transport Security (HSTS) makes any web browser to only use secure connections (https://) for all future requests when communicating with a web site. Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection.

Managing HSTS on Linux

HSTS is enabled on all Linux-based managed hosting accounts by default. And while you don’t need to take any further action to use HSTS with your site, there may be scenarios where you want to disable HSTS for your site, such as during site development or testing. In case you need to do this, follow the guideline below:

Using SSH, the cPanel File Manager, or the Plesk File Manager, navigate to the document root of your site (usually the public_html folder).
Use your preferred text editor to open the .htaccess file.
Copy the following line, and then paste it into the .htaccess file:
- Header always unset Strict-Transport-Security
Save your changes to the .htaccess file. HSTS is now disabled for your site.

Managing HSTS on Windows

Unlike with Linux, HSTS is not enabled on Windows by default. That’s why it will require a longer process.

To enable HSTS for your site, follow these steps:

Using the Plesk File Manager, navigate to the document root of your site.
Click the web.config file to open it in the file editor.
There is a specific location to enter the settings for HSTS, and it is different depending on the existing contents of the web.config file. Please carefully review each of the three scenarios below, and then select the correct one for your situation:
If the web.config file is empty, paste the entire code below into the editor and click Apply:

<?xml version="1.0" encoding="UTF-8"?>

<system.webServer>

<rules>

</conditions>

</rule>

</rules>

</conditions>

</rule>

</outboundRules>

</rewrite>

</system.webServer>

</configuration>

If the web.config file is not empty, look for the <system.webServer> section. If there is no <system.webServer> section, paste the highlighted red section as shown:

<?xml version="1.0" encoding="UTF-8"?>

</other items>

<system.webServer>

<rules>

</conditions>

<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"

redirectType="Permanent" />

</rule>

</rules>

</conditions>

</rule>

</outboundRules>

</rewrite>

</system.webServer>

</configuration>

Finally, if the web.config file is not empty, and there is a <system.webServer> section, paste the highlighted red section as shown:

<?xml version="1.0" encoding="UTF-8"?>

</other items>

<system.webServer>

</other items>

<rules>

</conditions>

<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"

redirectType="Permanent" />

</rule>

</rules>

</conditions>

</rule>

</outboundRules>

</rewrite>

</system.webServer>

</configuration>

How to Install a Self-Signed SSL Certificate

This process depends on what type of hosting account you have. It can be either cPanel or Plesk.

Installing a self-signed SSL certificate through cPanel

The following guide will show you all the steps of installation:

Log in to cPanel.
In the Security section of the cPanel home screen, click SSL/TLS.
Under Private Keys (KEY), click Generate, view, upload, or delete your private keys. The Private Keys page appears.
Under Generate a New Private Key, confirm that the Key Size is set to 2,048 bits.
In the Description text box, type a descriptive name for the key, such as a Self-signed cert key.
Click Generate. cPanel generates and displays the private key.
Click Return to SSL/TLS.
From the SSL/TLS page, under Certificates (CRT), click Generate, view, upload, or delete SSL certificates. The Certificates page appears.
Under Generate a New Certificate, in the Key list box, selects the description for the private key you generated in step 6.
In the Domains text box, type the domain that you want to secure with the self-signed certificate, such as test.example.com.
Complete the remaining fields for the certificate.
Click Generate. cPanel generates and displays the self-signed certificate.
Click Return to SSL/TLS.
From the SSL/TLS page, under Install and Manage SSL for your site (HTTPS), click Manage SSL sites. The Manage SSL Hosts page appears.
Under Install an SSL Website, click Browse Certificates, select the certificate you generated in step 12, and then click Use Certificate. cPanel fills in the Certificate (CRT) and Private Key (KEY) fields automatically.
In the Domain list box, select the domain you want to secure with the certificate.
Click Install Certificate. cPanel installs the certificate on the server and enables SSL. When the process is complete, you receive an SSL Host Successfully Installed message.
Click OK. You can now securely access the specified domain by using the https:// prefix in a web browser, but you will receive a warning message about the self-signed certificate.

Installing a self-signed SSL certificate through Plesk

The following guide will show you all the steps of installation:

Log in to Plesk.
In the left sidebar, click Websites & Domains.
On the SSL/TLS Certificates page, click Add SSL/TLS Certificate.
On the Add SSL/TLS Certificate page, in the Certificate name text box, type a name for the certificate.
In the Bits list box, select 4096.
In the Country, State or province, Location (city), and Organization name (company) text boxes, type
In the Domain name text box, type the domain that you want to secure with the self-signed certificate, such as test.example.com.
In the Email text box, type your e-mail address.
Click Self-Signed. Plesk generates the self-signed certificate, but you still need to install it.
In the left sidebar, click Websites & Domains.
Click Hosting Settings.
Under Security, confirm the SSL/TLS support checkbox is selected:
To permanently redirect all insecure (http://) requests to secure (https://) requests, select the Permanent SEO-safe 301 redirect from HTTP to HTTPS checkbox.
In the Certificate list box, select the name of the certificate you specified in step 5.
Click OK. You can now securely access the specified domain by using the https:// prefix in a web browser, but you will receive a warning message about the self-signed certificate.

Sectigo SSL vs. Traditional CA-issued Certificates

The Sectigo makes creating and installing SSL certificates a simple task, just like Let’s Encrypt. It is also free, very easy to use. However, even though Sectigo SSL certificates provide basic SSL encryption, they do not have some of the benefits of certificates, like the ones issued by established CA (certificate authority) SSL providers, including:

Extended validity: Sectigo SSL certificates are only valid for 90 days and must be renewed frequently. By contrast, most traditional SSL certificates are valid for at least one year, with the option of longer validity periods (for example, three years).
Warranty: Sectigo certificates do not include a warranty, whereas traditional SSL certificates usually do.
Support: Sectigo SSL does not have staff available to assist with creating or installing SSL certificates. This can be an issue for professionals and business owners who must quickly get a site configured and working. For example, GlobalSign has a network of trained personnel who provide support through online ticketing, chat, and telephone.
Customer vetting: Sectigo SSL uses basic domain-based vetting (the ACME protocol) to issue SSL certificates. Traditional CA providers use additional vetting procedures to help verify that customers actually are who they claim to be.
SSL certificate options: Sectigo SSL only offers domain-validated certificates (DV). If you need the extra security of an extended validation certificate (EV) for your site, you must purchase one from a traditional CA provider.

Where Are Sectigo SSL Certificates Banned?

Although Sectigo is trying to reach all the countries in the world, it is banned in some countries.

Unfortunately, citizens from the countries listed below will not be able to obtain any Sectigo SSL certificates due to US Export restriction laws:

Afghanistan
Cuba
Eritrea
Guinea
Iran
Liberia
North Korea
North Cyprus
Sudan
Sierra Leone
South Sudan
Syria

Where Are Comodo SSL Certificates Banned?

While being very popular and being used by a lot of people Comodo SSL certificates are banned in a few countries.

Unfortunately, clients from the countries listed below will not be able to obtain any Sectigo SSL certificates due to US Export restriction laws:

Afghanistan
Cuba
Eritrea
Guinea
Iran
Liberia
North Korea
North Cyprus
Rwanda
Sudan
Sierra Leone
South Sudan
Syria
Zimbabwe

SSL Protection

Related Articles

company

hosting

DOMAINS