Dedicated server SSL certificates, updating and installing? - ssl

we have a website on a dedicated server with iweb.com. Our SSL certificate is purchased through Godaddy and expiring soon, so it’s time to get it updated. Iweb has a general article on how to install ssl certificates (https://kb.iweb.com/entries/21117106-Installing-SSL-certificates) but it’s not detailed so there are still some questions about that.
GENERATING A CSR AND INSTALLING A SSL CERTIFICATE:
“In order to get a SSL certificate, you need to create a Certificate Signing Request (CSR) and send it to the Certificate Authority.”
- Does it mean I can create a certificate myself for free, and don’t have to purchase it through godaddy or any other service? If yes what is the difference? And if I already have a certificate should I skip the certificate generating step and start with the installation?
FOLLOW THIS PROCEDURE TO INSTALL THE SSL CERTIFICATE:
Under the installation steps it asks to enter the domain name for which the SSL certificate was created, will it include the ftp, email, cpanel servers as well?
And lastly, what’s going to happen with my old certificate, will it be deleted or I have to remove it manually?
Thank you!

Does it mean I can create a certificate myself for free, and don’t
have to purchase it through godaddy or any other service?
Well, you can get a self-signed one for free, But, if people are visiting your website, there will be a HUGE alert on their browser, and try to stop them from browsing.
And the Certificate Signing Request is not actually a Cert! (well, it does contain your public key, and some other information)
The difference between a self-signed and public-CA-signed one is just like your school ID and your passport, the school ID only valid in a small community, and the passport is recognized by the general public as a personal ID.
See: How to create a self-signed cert in Ubuntu with Apache Using OpenSSL
If your think the price for Godaddy is too high, you may try something cheaper like PositiveSSL or RapidSSL, which is only around 10 USD/year/domain
And there is also a free one: StartSSL
Under the installation steps it asks to enter the domain name for which the SSL certificate was created, will it include the ftp, email, cpanel servers as well?
No, just the web server you wish the general public to be able to visit.
if there is a web interface for the email (like Gmail) or CPanel, you may have to create a ssl for them as well.
And lastly, what’s going to happen with my old certificate, will it be deleted or I have to remove it manually?
You should update it. if you haven't renew and update it, the browser will try to block your visitors with a HUGE alert again after the expiration date.

Related

Binding SSL certificate to a new site, changes other's certificate

I just created a new SSL certificate with GoDaddy. I imported this certificate into IIS 8.0.
Then I checked all existing sites and their SSL certificate. Everyone has its own certificate. So far, so good.
Now I want to add the new imported certificate to a new site. But everytime when I do this, an "error" comes and says that there is an existing site that uses the same certificate. But before that I checked all sites and I haven't seen the same certificate.
If I click on "do it anyway" it changes the certificate of an other site to the new certificate that I just imported. So as a result two sites are using the same certificate now.
How can that happen? Is there a possibility that these two sites have a kind of a connection? Did I do something wrong with the import?
I absolutely have no idea.
Thank you.
PS: Even if I apply for a new certificate, I still get the same result.
PS: Could it be because of two different SSL distributors? One is Symantec and the other one is GoDaddy.
PS: This is the first GoDaddy certificate that I try to install after the Symantec one.
You might be using the same IP and port for all the url's configured on IIS 8. If that's the case, then you have to mention the exact URL in the Hostname section when you bind the certificate as per image below.
Also Make sure you put a tick mark to REQUIRE SERVER NAME INDICATION and then select the correct certificate from the dropdown in the SSL Certificate section.

Create my own intermediate cetification authority from commonly trusted certificate

I have a simple question (maybe stupid) and i didn't find any clear answer to it. If i get a certificate from a trusted signing company (like verisign...) for one of my server (web for instance), i'll have private an public keys. With this certificate can i set up my own intermediate CA and sign cert request and the be trusted by every one (i know that's shouldn't be..)? My real question is : what will prevent me for issuing certificate and how the company can garanty that nobody does ??
Thanking in advance!
The certificate issued for your web site is suitable for SSL/TLS and is not suitable for issuing other certificates (Key Usage field is different). Consequently while you technically can generate another certificate using yours as a CA, such generated certificate won't be trusted by properly implemented and configured validators (those that check Key Usage).
You are not paying verisign or other certificate organisation for the certificate publishing but for the certificate validation, this meens that they have web services that respond if your certificate is valid or not, if it is still active and not expired and your contact information as requested.
Unfortunatly this is something you have to live with it and pay them if you really need ssl over your site.
I have used a homemade certificate for my lan server and when i visit this https site a big red warning notifies me that this site is malicious and it has not a valid certificate. This doesn't bother me but I am sure that all of my clients would have freeked out if they see such a bold warning popping up to their browser.
what can you do? it's a companies' world

Does enabling SSL require more than just turning it on?

I run an nginx-powered application and I recently turned my attention to using it over https. This is the module in nginx that does this: http://wiki.nginx.org/HttpSslModule
However, I'm somewhat unclear about what is actually required to run a site over https.
What else is there to do to serve my site over ssl? What is the role of the certificate, and is it a requirement that I purchase it from somewhere?
You need a certificate to prove to your user that the server they're connected to is indeed the one intended (and not a MITM attacker).
If your server is to be used by a limited number of users to whom you could give a certificate explicitly, you could use a self-signed certificate or create your own certification authority (CA).
Otherwise, if you want your certificate to be recognised by most browsers, you'll need to get one from a commercial CA.
You should find more details in this answer. You may also be interested in this.

SSL certificate config and testing

I need to implement a SSL certificate for a website, I've got three questions after some research.
1) I believe i need to buy a SSL certificate and ask my host to install it. My question is do you need to alter any code for the website for the certificate?
2) Before I buy the certificate, the website is going to be built for a couple of month at least. I'm just wondering is there a developing SSL certificate I can use for the developing environment?
3) Or do I have to use self assigned certificate? If so are there any good tutorials on how to create a SSL self assigned certificate on a local machine (wamp) and a developing url site?
Thank you very much.
Sam :)
1) No, you do not need to alter any code on your website at all in order to use an installed SSL certificate. It is as simple as prefixing your desired destination link with the HTTPS: protocol specification instead of the typical HTTP: protocol. However, if you want to determine if your site visitor is using an encrypted page before they do something, such as submit a web form with potentially sensitive data, then depending on what you are developing your site in, you will need to detect if the current page request has been sent over HTTP or HTTPS, then if it is an HTTP requested page, you probably want to redirect the page request to the HTTPS version before proceeding.
2) Other than creating your own "self signed" certificate (more on this in #3), no your only option for a publicly valid SSL certificate is to obtain one from a publicly recognized Certificate Authority (CA). Long story short, a certificate of the same key length using the same encryption standard supported by your server and visitor's web browser, is no stronger or weaker regardless of vendor for purposes of encryption. So you can simply shop by price for your SSL certs. I have no affiliation with GoDaddy, but have been using them for years for public SSL certificates.
3) You certainly can create your own self signed certificate. The methods for doing this vary based on your host server and version. The limitation to a self signed certificate, is that if you go to share this with anyone, you get that warning message from your browser that the certificate is not published from a verifiable source. In most current browsers, it looks like a big scary message that something is wrong and they attempt to warn your user away from doing this. However, of course, there is certainly nothing wrong with using a self signed certificate. This is obviously true for your own development uses. Even a self signed certificate of the same key length and encryption method is as cryptographically secure as a commercially provided certificate. If you want to use a self signed certificate, just search for instruction for doing that for your server OS and version for details. Once it is installed, you will get the warning from your browser when you try to browse to a page over HTTPS. Your browser should show you an option to permanently remember and accept your self signed certificate, after which you will no longer see that warning while that certificate remains installed and valid.

asp.net: how to use ssl certificate

I created ssl certificate using IIS 5.1 and generated a file certreq.txt. Now what is the next step to use this file. I am a developer and working on a site that is host on my local machine. Is is necessary to get license from any CA?
Please guide me ASAP.
You can create a self-signed cert, but that will not be very elegant for end users if this is a public website as there is the prompt about cert validity. Otherwise, yes you need to obtain a cert from a CA. I find the best is Verisign, although DEFINITELY not the cheapest. Others are Godaddy, CheapDomain, and pretty much any registrar can help with it.
The link is for 5.1, but you can find tutorials on all versions. For testing I would go the self signed route.
The certificate generated from IIS, is a self-signed certificate, which can be used to test your website. However, if you run a public website from a self-signed certificate, every user will get a warning that the site is not safe. You will eventually need to get a license from a CA when you are ready to publish your site. Your domain host should provide an SSL certificate service, for something like $50-150/yr.
You can either self sign the certificate or send it to the CA to avoid the do-not-trust this site prompt. SSLTools Manager is a nifty app that can send your csr to a CA. Not sure about the self-signing feature though.