SSL Installation - A Mini HowTo

[Joseph]

For many of you, I imagine this post will be useless. For some of you though - I'm hoping it saves some time (it would have been nice to have someone save this time for me )

Anyway - this is pertaining to the purchase and installation of certificates - in this example it's an InstantSSL certificate from Comodo Security Services on behalf of AltaireSSL.

1. Setup a dedicated IP address
To do things properly, the domain that is using the certificate must be on a unique IP. Yes, you *can* set it up on a shared IP, but it's not a good idea, as you'll encounter big problems when you try to add your next secure site. Put it on a dedicate IP - save yourself the headache.

2. Deceide on the domain name
This step is important, and is often over looked. Ask yourself what address you want to use when accessing your secure certificate - would you rather they go to https://www.mydomain.com, https://domain.com or something like https://secure.domain.com or https://store.domain.com - be sure you know what you want before you continue. If you're using one of the latter two - setup the subdomain before continuing past this step.

3. Purchase the certificate
From WHM, near the bottom, under SSL/TLS - select "Purchase & Install SSL Certificate" - Go through the steps of filling out the details, and placing the order (this is a fairly linear, self-explanatory process, so I won't outline it). Be sure to use the domain name you selected in step 2. When defining the email address they should be using - use your own address (rather than your customer's/client's - it will simplify the process). Once you place the purchase you'll get an email indicating that you need to fax/email/mail some info to the certificate company - this is so they can confirm that you are who you say you are. Fax that information and wait for them to get back to you.

4. Wait
I've had this process take anywhere from 24 hours to 3 weeks. Yes it is annoying, but feel free to call up the company to see what's taking so long. Once they issue the certificate, you'll get an email with a zip file in it. Pay close attention to it - this is important to hold onto.

5. Install & Setup the Certificate
This is where most of the people I work with have difficulties - so be very careful. From WHM, under SSL/TLS select "Install an SSL Certificate and Setup the Domain" - if you have folowed my process as above, the .crt file and .key file will already be on the server. So, under domain - enter the domain name you selected in step 2, and used in step 3. Enter the username and the IP address you setup for that account (see step 1). Then click both Fetch buttons. The first Fetch button will grab the CRT file, the second will grab the KEY file. Note - although there is a sentence "Sorry.. cabundle not found, however you probably don't need one for this certificate ()." in the last field, we still need to setup the bundle file. This bundle file can be found in the email that the certificate company sent you.
In the zip file there is a file ComodoSecurityServicesCA.crt - open it in a text editor, copy the contents, and paste them into that last field in WHM. Then click the "Do it" button - and wait for the confirmation message.

So in a nutshell, I'm sure I'm duplicating information already avaialable on these forums - but perhaps someone will sticky this topic or start a sticky topic linking to tutorials and how to's

Best of luck,

~ Joseph

[redlorry919]

Thanks for the info. I've only just recently needed to install SSL certs but didn't realise that you needed the account to be on a dedicated IP. (which took me days to figure out and I wish I'd seen a post like this earlier!).

So I think this post will help a lot of people.

Nice one!
Adam.

[Glennr]

For many of you, I imagine this post will be useless. For some of you though - I'm hoping it saves some time (it would have been nice to have someone save this time for me )

I get the following when I try this:

Attempting to verify your certificate..... Cerificate verification passed!
Verifcation Result [/C=US/ST=Kansas/L=Overland Park/O=First Family church/OU=WinWeb/CN=*.ffc.org ]
The CRT for the domain *.ffc.org could not be installed. Apache produced the following errors:
Finished Install Process..

Any ideas?

Glenn

[Trigger]

Glenn it looks like you are installing a wildcard certificate is that correct, seeing the common name listed is *.ffc.org ?

Is it a chained certificate? If so did you paste in the CA bundle for it in the last box?

When you generate the CSR you must user *.domain.com for the domain name this will enable you to get a wildcard certificate that can be used for any subdomains.

When you install the certificate you only need to enter the domain.com or sub.domain.com if it is for a subdomain and use the .crt file you are supplied with by the comany you purchased the certificate from, along with the RSA Private key generated when you generated the CSR.

Wildcards can be used for multiple subdomains but each subdomain must have a dedicated IP address for it to work, installation is the same as for a single domain certificate but because it is issued to *.domain.com it will work or any subdomain without bringing up an error message.

[Glennr]

Glenn it looks like you are installing a wildcard certificate is that correct, seeing the common name listed is *.ffc.org ?

Is it a chained certificate? If so did you paste in the CA bundle for it in the last box?

When you generate the CSR you must user *.domain.com for the domain name this will enable you to get a wildcard certificate that can be used for any subdomains.

When you install the certificate you only need to enter the domain.com or sub.domain.com if it is for a subdomain and use the .crt file you are supplied with by the comany you purchased the certificate from, along with the RSA Private key generated when you generated the CSR.

Wildcards can be used for multiple subdomains but each subdomain must have a dedicated IP address for it to work, installation is the same as for a single domain certificate but because it is issued to *.domain.com it will work or any subdomain without bringing up an error message.

Thank you very much for your help, you would not believe how much I've been banging my head against the wall.

It is a wildcard certificate, and it's the first time I've used a wildcard cert. I did install the CA Bundle in the last box.

The issue was that I was not understanding that you want to insert the specific subdomain you are applying it to. I was trying to use the *. in the domain name.

Worked perfectly once I put in the subdomain.

Again, thank you very much.

Glenn

[rwoody]

I have a conflict regarding a previously issued certificate and I'm hoping there is a way I can make an adjustment in the DNS to stop the ugly error message "The name on the security certificate is either invalid or does not match the name of the site."

This was previoiusly setup incorrectly and I'm trying to see what I can do to clean it up. The site was registered mysite.com and the cert was issued: www.mysite.com

Now of course the site can be accessed either way, but the certificate warning might be disconcerting to potential customers as this is a shopping site.

Is there a way that I can modify the dns, so that www.mysite.com is a valid site name?

Thank you in advance for your assistance

[flash7]

1. Setup a dedicated IP address
To do things properly, the domain that is using the certificate must be on a unique IP. Yes, you *can* set it up on a shared IP, but it's not a good idea, as you'll encounter big problems when you try to add your next secure site. Put it on a dedicate IP - save yourself the headache.

2. Deceide on the domain name
This step is important, and is often over looked. Ask yourself what address you want to use when accessing your secure certificate - would you rather they go to https://www.mydomain.com, https://domain.com or something like https://secure.domain.com or https://store.domain.com - be sure you know what you want before you continue. If you're using one of the latter two - setup the subdomain before continuing past this step.

3. Purchase the certificate
From WHM, near the bottom, under SSL/TLS - select "Purchase & Install SSL Certificate" - Go through the steps of filling out the details, and placing the order (this is a fairly linear, self-explanatory process, so I won't outline it). Be sure to use the domain name you selected in step 2. When defining the email address they should be using - use your own address (rather than your customer's/client's - it will simplify the process). Once you place the purchase you'll get an email indicating that you need to fax/email/mail some info to the certificate company - this is so they can confirm that you are who you say you are. Fax that information and wait for them to get back to you.

4. Now my LIVE site is DOWN
WHM 10.0.0 cPanel 10.0.0-R161

[rwoody]

Thanks for the tips, but I'm sure you "overlooked" what I mentioned in my post. I have been doing this for quite sometime and am well aware of how to set this up "originally" I inherited the problem and was trying to find a way to assist the customer short of purchasing another SSL. I've contacted the SSL company and the cert cannot be altered. A new one must be purchased and this one deleted to fix the problem In view of the cost, I was hoping there might be a way that on the server, "www.mysite.com" could be setup as the valid name.

Thanks for your response though, I do appreciate your time in doing so.

Take care and have a wonderful day.

[flash7]

You right

Problem was been solved, thanx.

[barryj]

What do you do woith a "Chained Root Certificate"? I posted this on another forum, but thought it might fit here too.
----------
I have a client that purchased their own SSL Certificate and now I have to install it! Anyway the cert was purchased through GoDaddy and there are 2 parts to the certificate. 1 part is the certificate and the 2nd part is an intermediate certificate, which has to be installed before the certificate. GoDaddy provides install instructions for this "chained root certificate", but I was wondering if anybody else had experience wtih this type of cert. Basically to install it you put it in the specific SSL directories and then manually a;ter httpd.conf (which I have no issue with) but just checking out there.
WHM doen't cater for this type of certificate procedure.
----------

Any ideas?

[Trigger]

You can install this type of certificate with WHM without a problem.

When the customer gets the certificate details the email will contain both the certificate issued to the domain and a copy of the CA bundle that will need to be installed. As part of the install you paste the CA bundle in the last box (thats what it is there for) when you install the certificate.

[barryj]

Thanks for that, I suppose I should look at the WHM install boxes before I post a question!!!!!

[DeMenkey]

THANK YOU SO MUCH! This is what I've been trying to figuer out for the past two days. Yet, I still don't get it. lol
Arn't there any free SSL out there? Or something? lol

[Trigger]

DeMenkey you can get a 30 Day Free SSL certificate from Rapidssl.com to test things out to make sure its what you need, apart from that the only way to get it for free is if your host offers a shared SSL certificate or if you use a self signed certificate (which will give visitors an error as it is not trusted, once they click Ok it will work)

Rapidssl.com changed their name from freessl.com to avoid confusion, they used to offer free ssl certificates for a year just to get volume up and get the name out.

[Berbox]

There is a company "startcom" that issue free SSL certificates. I requested now 3 certificates and al worked fine. Just install the Ca-bundle with the certificate and your browser don't popup a security warning every time.

The request is just done in 30 minutes. The installation 30 min so in 1 hour you have SSL for you're customers. By the way they have excellent support on their site.

Of course you have to trust this people, but this you have to decide by your self