I work for advertising seo company. They have dedicated server and want also use SSL for the clients. They asked me to find the best option regarding that, I need help from you guys. I suppose some of you are more experienced in this.
Should they buy certificates separately for each client?
Create self signed certificate (Is there any way avoid security warnings).
Use wild card or multiple domain SSL
Other option (please suggest)
Thanks
I would recommand using LetsEncrypt.
It is free, you can do wildcard, automatic renewal every 3 month, documentation, etc.
I'm a big fan of it.
You can also use your registrar, sometimes they also sell certificates for the domain they sell. Like Gandi for example, you got 1 year free certificate with a domain, and they guide you all along on how to install it.
Related
I can set them up one-by-one with self-signed certs, but it's not practical for how many subdomains I'm working with.
Is there an easier way to do this?
Easiest is to use a wildcard certificate signed by a recognized authority. That also makes the certificates valid and validatable which is not the case for self signed certificates.
A wildcard certificate costs a fee for the signing service. Some 20 Euros a year currently. And you obviously have to go through a verification process, typically per telephone. The Let's Encrypt certificates are great, but they do not offer wildcard certificates. You certainly can automate the creation of their certificates by scripting, though, if you are willing to invest effort into that.
I personally used startssl in the past. Their portal is a bit difficult to use, but things work, and I failed to find anything comparable if it comes to prices. You need their "level 2" for a wildcard certificate, the free certificates are always for a single host name only. Each wildcard certificate will cost extra, obviously, but similar obviously you can use a single wildcard certificate with all host names within a given domain name which is what you are looking for I think.
I wasn't able to find enough information about this cool feature and I'm hoping someone help me out.
According to cPanel documentation, AutoSSL (by Comodo) issues maximum 200 certificates per domain / virtual host :
https://documentation.cpanel.net/display/ALD/Manage+AutoSSL
What does it mean exactly? If I have 300 domains on WHM, cPanel only issues certificates for maximum 200 of them?
Yes, it's cool to have free certificates but honestly the most attractive part of this deal is "auto SSL installation". If this feature is still too experimental, what do you suggest for auto implementing DV SSLs that overcomes the validation steps?
In short,
This means that "each" hosting account can generate a maximum of 200 certificates.
Taking into consideration that each account has its own virtual host.
To begin with, I already posted the same question in serverfault.com and received no help, so I'm repeating it here out of desperation.
Recently PayPal is requiring servers to support SHA-256. Here's an article referring to this issue:
https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766&expand=true&locale=en_US
At the top of the article, it states,
Update your integration to support certificates using the SHA-256 algorithm. PayPal is upgrading SSL certificates on all Live and Sandbox endpoints from SHA-1 to the stronger and more robust SHA-256 algorithm.
We have a dedicated CentOS server with numerous sites, mostly WordPress. Quite a few use PayPal IPN but do not have dedicated IPs or SSL Certificates. What needs to be changed to the server so these sites will support SHA-256? Our server is situated with Limestone Networks so I've created a ticket and asked repeatedly for assistance to no avail. They keep repeating SSL's need to be updated on the server. Would that be a wildcase SSL certificate in the usage case I described? Any assistance would be greatly appreciated.
Based on your comments, it sounds like this is nothing to do with SHA256, but a simple CN mismatch. A certificate is only good for the names listed in it. You could try adding a subjectAltName for each of the required hosts, or a wildcard certificate for *.example.com (though I wouldn't trust one of those for my server.)
I have a task which can be implemented via CERT records in DNS. (There is also an alternative method, but anyway)
I've been looking for DNS services that support CERT records but it appears that no one, including GoDaddy, supports it.
My questions are:
Is it deprecated?
If it isn't why commercial systems don't support it?
Is there any system that support it? If yes, can you share the link?
EDIT
My search for the state of CERT records didn't give any results
Looks like DynDNS supports CERT - http://dyn.com/
I'm not quite sure if this question applies to this forum but if it does maybe someone knows if it is possible using Open SSL to create a SSL sertificate that browsers wouldn't throw warning messadges that our created SSL sertificate is untrusted?
Technically it is possible if you have CA's private key to sign the newly created certificate. As you probably don't have a key, the answer is probably no. Just go ahead and purchase a certificate from one of CAs. If you do minimal research, you will find that some CAs offer very affordable prices.
This is probably better handled on server fault, but I will tell you that NO you cannot do this. The reason browsers don't like your certificate is that you are not a recognized certificate authority. As such, a browser will always warn about your certificate being untrustworthy, since the browser does not know who you are, or why anyone should trust you.
EDIT: As Alex K points out, you can install your certificate on machines you know will access your site, which works reasonably well for scenarios where the site will only be accessed by a limited number of known users/machines. My point still stands regarding wider distribution. Thanks, Alex.