SSL Certificates #
Posted 04th October, 2018
SSL Certificates encrypt the connection between the user and a website. They are a fundamental requirement of any website that transmits or receives sensitive data such as client details, passwords, or payment information.
At Fixed.net we can install SSL certificates on any website – either from certificates provided by you, or sourced by ourselves.
Once a rare occurence, SSL certificates are now required for content included on Facebook, and Google allegedly prioritises sites with SSL certificates over non-ssl websites.
Some SSLs now come free of charge with either hosting providers, or from third parties such as Cloudflare or LetsEncrypt.
When a site has an SSL certificate, you can access it using https:// as well as http://.
Ownership Verification #
In addition to securing a website, SSL certificates also verify that the site owner has a right to the domain, as they have to verify at least their domain ownership and sometimes their business info (depending on the SSL category).
Browsers by default trust a number of top level certificate issuers, and each issuer can issue certificates below them.
How an SSL works #
Constituent Parts #
In the case of 99% of SSLs, there are four parts to an SSL certificate:
- CSR (Certificate Signing Request). You generate this along with a ‘key’ and send it to a certificate company. You keep the key and do not share that with anyone.
- Key. A Key generated at the same time as the CSR.
- Certificate. The actual certificate generated by the certificate issuer from the CSR
- Certificate Bundle (CA Bundle). The certificate chain, which is the levels of certificates that the browser trusts down.
The CRT, Cabundle and Key are installed on the webserver to put the certificate live.
Certificate Usage #
The encryption then works like this:
User > Request Site > Site User < Site is encrypted so CRT is returned. User can check the cabundle and ensure it is trusted by the browser < Site User > Encrypts request with CRT and sends it back, along with their own Key > Site User < Encrypted data is decrypted with key, and response encrypted with user’s certificate < Site
Ordering an SSL certificate #
An SSL certificate can be ordered from any SSL provider. There are four categories of SSL:
- Self-Signed. These are certificates issued by the client themselves
- DV (Domain Validated). The most basic of certificates, which can be achieved by simply verifying that you own the domain name. This is usually either done by clicking a link in an email sent to email@example.com, or by setting up a custom DNS record such as CNAME or TXT record.
- OV (Organisation Validated).
- EV (Extended Validation).
Certificates can either be for one subdomain, such as blog.domain.com or just domain.com. Alternative they can be wildcard certificates, and therefore valid for anything.domain.com.
When ordering, you may be required to provide a CSR and KEY, which you can generate on a web server.
Installing an SSL certificate #
Installation of an SSL certificate can vary from provider to provider. With some it is as simple as pasting in the certificate, key and cabundle; others have automatic tools to install the SSL in one click. Once installed, your website should load from https://yourwebsite and not give a
Security Certificate Invalid error.
Once installed, your site may load instantly and correctly using https:// but it may also show errors (see below). You likely also want to force users to use your https:// link. However in many cases you will need to change a configuration URL in your software to update it to use SSL.
For example, in WordPress you should change the URL under settings -> general, or alternatively edit it in the options table in the database. This may still not force any fully stated paths to https://, especially in serialised arrays, so a full find and replace may be required.
Preventing Duplicate Content #
If your site loads directly from https:// and also from http:// we need to force requests that go to http:// to go to https://. This prevents users from either accidentally visiting an insecure page, or you being penalised for duplicate content issues.