Installing a SSL Cert

**mixx941** · 01-29-2004 08:28 PM

Hello everyone....

I have a user who wants me to make a CSR and then install their cert.

I've heard that I need to get the account on a dedicated IP address, and change it to an "ip based" account for the cert to work.

I know how to change the site's IP to a dedicated one....but not the rest.

I'm wondering how I can do all this correctly with no downtime for the user.

Also, if there's anything else I need to do for a cheap SSL to work, please let me know. I believe they will be ordering from Freessl....

Thanks in advance.

**osfdeath** · 01-30-2004 12:46 AM

I'm no expert but I found this post while attempting to learn how to clean up all my extra crt/keys on my server

I searched for clean+SSL

http://forums.cpanel.net/showthread....ight=clean+ssl

It's what I used to install my certificate and it worked great for me

I bought a FreeSSL cert myself - was very pleased at how quick it was to get (but I was buying it for a domain I own - sounds like you'll be buying it on their behalf)

I'd suggest one of two things for you:
1. Let them buy it and send you the information or
2. have them list you as their tech contact for their domain in order that you can purchase it (all SSL sellers check to ensure you are authorized to purchase the SSL certificate on behalf of the domain it's being purchased for)

One word of caution here - once you've generated the signing request in WHM - STOP - Don't do anything else until you have the certificate to install! I ended up with 40 crt and key combos and couldn't remember which one was which
(When you Generate an SSL certificate and signing request in WHM, it sets up the KEY that matches the CERTIFICATE REQUEST you give to the seller of the certificate - that KEY will only work with that certificate - learned the hard way)

Hope all this helps and doesn't just confuse you...

**cortices** · 01-30-2004 12:50 AM

Well, basically you are right. The site must be on a dedicated IP. There's no easy way to avoid the downtime, but it should be pretty minimal. You'll just have to wait for other DNS servers' cache to expire before the updated IP is available.

Other than that, you just have to generate the CSR, then the customer can submit it to the SSL provider and purchase the certificate. You will generally have to approve the SSL certificate before it is issued. After that, just install it with WHM and that should be it.

**mixx941** · 01-30-2004 09:31 AM

Thanks for your replies. Just a few questions based on your replies:

1) Does the option in WHM "Change A Site's IP Address" make it a "dedicated" ip address, or is there something else I need to do?

2) I should change the IP address before I generate the CSR correct?

3) They will be purchasing it themselves, so how would I "Confirm" it?

4) When you say "STOP - DONT DO ANYTHING ELSE" you mean related to SSL certs, or ANY other WHM functions?

Thanks

**osfdeath** · 01-30-2004 10:09 AM

1. You will have to assign them a free IP. In WHM goto Add DNS Zone and enter the IP and the domain they are going to secure (Note: if their domain is domain.com and they want to secure sercure.domain.com - that's what you have to enter)
It will take a little time for it to propogate through but once it does, you should be able to get to it by http://secure.domain.com or http://domain.com/secure
Once the certificate is installed, using https://secure.domain.com

2. If the IP is already setup when you get the certificate, it'll be ready for SSL connnections - so I would set it up soonest.

3. You won't need to confirm it. If you look at the whois for the domain, they would be listed as Admin, Tech, Billing contacts - so you really have nothing to do with it if they're getting it themselves - just have them forward you the information once they get it.

4. No not in whm - just don't generate any more requests or do anything else with the SSL stuff

**mixx941** · 01-30-2004 10:19 AM

Regarding #1:

Is "Add DNS Zone" just like "Change IP address of a site"? Would that work as well?

Also, they want to secure "www.domain.com". I would enter "www.domain.com" in the domain area of the DNS Zone correct? That will secure "https://www.domain.com/anything" right?

The IPs are already setup...although now I guess I"ll have to order more since this is using up an unplanned one

.

Thanks in advance

**osfdeath** · 01-30-2004 10:52 AM

Ya you have to assign one IP to that certificate

Is "Add DNS Zone" just like "Change IP address of a site"? Would that work as well?

No you have to use the Add DNS and add the zone

You want the whole domain to be in the SSL?
Then you'd have them get the Cert for "domain.com"
www.domain.com and domain.com ARE NOT the same thing

I'd suggest getting it for domain.com
Then the URL would be https://domain.com/anything

**mixx941** · 01-30-2004 12:23 PM

If it was ME, I'd get "https://secure.domain.com" but I guess they dont want it like that.

So I should advise them to get it for https://domain.com instead of https://www.domain.com?

They mentioned they wanted https://www.domain.com, so as long as that will work, then I think they still want that.

Thanks for all your help in advance.

P.S. One more quick question. I'm going to offer a dedicated IP as an addon service for my web hosting. Obviously I would select that as their IP when creating the account, but would I click the "IP" Checkbox when creating the account, and what is the proper method for making someone have their own dedicated IP address after the account is active?

**osfdeath** · 01-30-2004 12:39 PM

ya the "www" in a URL is actually a subdomain for a site

http://www.domain.com isn't the same as http://domain.com
When you create a virtual account in WHM, it automatically adds the "subdomain" forward for the www part for you.
That's why they look the same - of course I'm pretty new at all this so I'm speaking the way I see things - I could be wrong and there may be more expert opinions out there.

For clarification - the Certificate has to have its own dedicated IP - I dont think you can give them an IP for their domain and have the Certificate share the same IP
You could assign them a dedicated IP for the certificate and let them use your shared IP (default IP for your hosting company kind of thing)
Again - other opinions may be out there

I'd tell them that their secure area will be
https://domain.com/secure files here
It can be subdirectories or single pages - doesn't matter
Using https://www.domain.com would still be secure pages but you'll get a Security Warning popup box
It depends on what you register I guess
I'd stick with domain.com for ease as the www part is a subdomain (as described above)
Then again, I don't see why you couldnt register www.domain.com and use https://www.domain.com
I'm honestly not sure if it'd work - someone else have a say on the subject?

**PWSowner** · 01-30-2004 10:36 PM

Originally posted by osfdeath
For clarification - the Certificate has to have its own dedicated IP - I dont think you can give them an IP for their domain and have the Certificate share the same IP
You could assign them a dedicated IP for the certificate and let them use your shared IP (default IP for your hosting company kind of thing)
Again - other opinions may be out there

Actually, as long as the site has a dedicated IP you don't need a seperate IP for a certificate.

**mixx941** · 01-31-2004 12:34 AM

So let me clarify before I email my customer back....

They really want https://www.domain.com/whatever, so could I enter that as the domain for the DNS Entry when giving them their dedicated IP, and www.domain.com for the host to generate the CSR?

Thanks

**osfdeath** · 01-31-2004 09:04 AM

as long as the site has a dedicated IP you don't need a seperate IP for a certificate.

Kewl - wasn't sure about that

I'm not sure about the www - I was told NOT to use it
I know not using it has worked for me - so i can only offer my experience of what's been successful for me - I sugggest you not use it and stick to domain.com/whatever

**mixx941** · 01-31-2004 01:54 PM

Okay, so let me clarify finally now.

I told them that, and they changed their mind, they now want "https://secure.domain.com"

So in the "Add DNS Zone" I would put in the new IP, and put in "secure.domain.com" for the domain?

Then, I would wait how long for it to propogate before generating the CSR?

Thanks in advance.

**osfdeath** · 01-31-2004 02:09 PM

So in the "Add DNS Zone" I would put in the new IP, and put in "secure.domain.com" for the domain

Correct

Then, I would wait how long for it to propogate before generating the CSR?

You don't have to wait to generate the request
Just ensure you copy the the key to a text pad (even though it'll send you emails with the info, i prefer to hold onto it right away)

**Juanra** · 01-31-2004 02:28 PM

Originally posted by cortices
Well, basically you are right. The site must be on a dedicated IP. There's no easy way to avoid the downtime, but it should be pretty minimal. You'll just have to wait for other DNS servers' cache to expire before the updated IP is available.

And you might decrease the domain's TTL to minimize the possible downtime.

LinkBack

Thread Tools

Installing a SSL Cert

Help installing SSL cert

Problem installing SSL Cert

Installing SSL Cert for cPanel/WHM Itself

Installing a ssl cert on cpanel

Trouble installing SSL cert for WHM