What is an SSLSSL (Secure Sockets Layer)
is a standard technology behind establishing an encrypted connection between a web server (host) and a web browser (client). This connection between the two makes sure that all the data passed between them remain private and intrinsic. SSL is an industry standard and is used to protect their online transactions with their customers. If you have ever visited a website using the https:// in the address bar you were creating a secure connection via SSL.
To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key.
The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) - a data file also containing your details. You should then submit the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer's web browser.
Also read: How to renew an SSL certificate
The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide them with a key indicator to let them know they are currently protected by an SSL encrypted session - the lock icon in the lower right-hand corner, clicking on the lock icon displays your SSL Certificate and the details about it. All SSL Certificates are issued to either companies or legally accountable individuals.
Who needs an SSL
Typically an SSL Certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure site it will retrieve the site's SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL.
- Is my site an e-commerce site that collects credit card information?
For most e-commerce sites, you absolutely need an SSL certificate! As an online merchant, it is your responsibility to make sure the information you collect from your customers is protected. This will shield you and your customers by making sure that no one can intercept and misuse their credit card information.
Your customers are providing you with very important and personal information that allows access to their hard earned money. If an identity thief gets access to your customer’s credit card information because you didn’t take the necessary precautions, it can be devastating to you and to your customer. Your customers need to know that you value their security and privacy and are serious about protecting their information. More and more customers are becoming savvy online shoppers and won’t buy from you if you don’t have an SSL certificate installed.
If you accept credit card information and store it in a database so you can process it using an offline POS machine or charge it manually on your merchant account’s website, then you definitely need an SSL certificate to secure the credit card data as it is transferred. You also need to be very careful with the data when it is stored on your servers.
- Do I use a 3rd party payment processor?
If your e-commerce site forwards your visitors to a 3rd party payment processor (like PayPal) to enter the credit card information then you don’t need an SSL certificate because your website won’t touch the credit card information. Just make sure none of the credit card details get entered when the address bar still shows your domain name. Note that if you accept the credit card information on your site, you need an SSL certificate.
If your users enter a username and password to login to your site without an SSL certificate, an attacker can easily see their username and password in clear text. This would allow someone else to impersonate your visitor, but it allows for a far more dangerous possibility: Because users often use the same password on many sites (including their bank accounts), an attacker can potentially compromise many other accounts. If you let people store a password with you, you must take responsibility for protecting it, even if the security of your own site isn't critical.
It is true that most login forms don’t currently use SSL. This means that most login forms are vulnerable. With the number of cheap SSL certificates available, it is becoming more and more worthwhile to secure login forms. If you want to forego the SSL certificate without having to worry about securing the login information, you can also use OpenID, Facebook Connect, or another technology that lets users log in on a another site and return to your site
- Do I need my own SSL certificate or can I use a shared SSL certificate?
Many hosting providers will include a shared SSL certificate that you can use instead of buying your own. As long as it doesn’t give any errors on your site, this will be great for securing login information or other sensitive information. However, a shared SSL certificate doesn’t provide as much assurance to your visitors because it doesn’t include your organization or website name in it and may display a warning.
In short, if your website is a collection of pictures of your goldfish Rudy with a small blog and doesn’t require visitors to log in, you probably don't need SSL. If you have a login form or send or receive private customer information, then you need SSL. If you run an e-commerce website where people provide you with credit card information directly on your site, you absolutely need SSL.
Proceedure For SSL Installation
Beging by Generating a CSR using cPanel
Log in to your cPanel account.
Locate and click on SSL/TLS Manager in Security section.
Click on the Generate, view, upload, or delete your private keys link under Private Keys (KEY) menu.
On the next page, locate the section titled Generate a New Private Key. Select the Key Size value from the dropdown list. (Certificate Authorities require the Key Size to be at least 2048 bits).
Click on Generate.
The next page will show the newly generated Private Key in encoded and decoded format. The private key will be saved to the Private Keys storage in SSL/TLS Manager.
Click on the Return to SSL Manager button.Generate Certificate Signing Request:
Click on Generate, view, or delete SSL certificate signing requests under Certificate Signing Requests (CSR) menu
On the next page locate the option titled Generate a New Certificate Signing Request (CSR). Select the Private Key, which was generated earlier, from the dropdown list under the Key section. If you select ‘Generate a New 2048 bit key’ a completely new Private Key will be generated.
Enter the following information for the CSR code that will be submitted to a Certificate Authority. Please use only alphanumeric characters when filling in the details.
Domains: Enter the fully qualified domain name on which the SSL will be activated (common name). The common name for all Wildcard certificates should be represented with an asterisk in front of the domain (*.example.com). To create your CSR code for multiple domains, enter each domain on a new line.
City: Provide the complete name of your city or locality. Do not use abbreviations.
State: Provide the complete name of your state or region.
Country: Select your country from the dropdown list.
Company: Provide the officially registered name for your business. For Organization and Extended Validation certificates, Certificate Authorities will be verifying the submitted organization. For Domain Validation SSLs, this field will not be listed on the issued certificate (you can use ‘NA’ for Organization when issuing a Domain Validation certificate, if you do not have an organization registered).
Company Division: Provide the name of a division or department, within the organization, indicated above. For Domain Validation certificates you can enter ‘NA’.
E-mail: Enter your e-mail address. The e-mail used for CSR generation will not be used for domain control validation or for reception of the issued certificate.
Click on the Generate button
The next page will show the newly generated CSR code. You can now use the Encoded Certificate Signing Request to activate the certificate purchased with your SSL provider or any other Certificate provider.
Click on the Return to SSL Manager button.
After the certificate is issued, follow the net steps to install SSL certificate for your site.Steps to Install Your SSL Certificate
After the certificate has been issued, and sent to you by the Certificate Authority, you can proceed with deploying the certificate on the server. Follow the steps below to install the SSL for your site.
Log in to your cPanel account
Locate and click on SSL/TLS Manager in the Security section
Click on 'Manage SSL Sites' under Install and the Manage SSL for your website (HTTPS) menu
Copy the certificate code you received from the Certificate Authority including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and paste it into the 'Certificate: (CRT)' field on the next page.
Click on the Autofill by Certificate button, which appears next to the certificate entered, and the system will attempt to fetch the domain name and the private key. You may also choose the domain from the drop-down list and manually enter the certificate and private key into the corresponding boxes. If the system fails to fetch the private key, you can locate it in the Private Keys (KEY) section of the SSL/TLS Manager. Please remember to include Begin/End headers and footers for the certificate and the key.
Complete the installation process.
Copy and paste the chain of intermediate certificates (CA Bundle) into the box under Certificate Authority Bundle (CABUNDLE)
If you want to use this certificate for Mail Services (Exim and Dovecot), tick the checkbox ‘Enable SNI for Mail Services’. In this case, you will be able to use your domain, on which SSL certificate has been installed, as a hostname of the mailserver configuring your mail clients to work via secured ports.
Note! This option is available only starting from cPanel 11.48. If you have older version of cPanel, you cannot use your certificate for mail.
Click on the 'Install Certificate' button
Congratulations! The certificate is now installed on the server for your site. The site should now be accessible via https://. You can check the installation using this tool
Why use an SSL
- SSL Encrypts Sensitive Information
The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see, for instance, your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity theft.
- SSL Provides Authentication
In addition to encryption, a proper SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server and not to an imposter trying to steal your information. Why is this important? The nature of the Internet means that your customers will often be sending information through several computers. Any of these computers could pretend to be your website and trick your users into sending them personal information. It is only possible to avoid this by using a proper Public Key Infrastructure (PKI), and getting an SSL Certificate from a trusted SSL provider.
Trusted SSL providers will only issue an SSL certificate to a verified company that has gone through several identity checks. Certain types of SSL certificates, like EV SSL Certificates, require more validation than others.
Web browsers give visual cues, such as a lock icon or a green bar, to make sure visitors know when their connection is secured. This means that they will trust your website more when they see these cues and will be more likely to buy from you. SSL providers will also give you a trust seal that instills more trust in your customers.
HTTPS also protects against phishing attacks. A phishing email is an email sent by a criminal who tries to impersonate your website. The email usually includes a link to their own website or uses a man-in-the-middle attack to use your own domain name. Because it is very difficult for these criminals to receive a proper SSL certificate, they won’t be able to perfectly impersonate your site. This means that your users will be far less likely to fall for a phishing attack because they will be looking for the trust indicators in their browser, such as a green address bar, and they won’t see it.
- SSL is required for PCI Compliance
In order to accept credit card information on your website, you must pass certain audits that show that you are complying with the Payment Card Industry (PCI) standards. One of the requirements is properly using an SSL Certificate.
How to install an SSL