The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How Does SSL Work?

Discussion in 'General Discussion' started by thinksmart12, Oct 3, 2006.

  1. thinksmart12

    thinksmart12 Member

    Joined:
    May 15, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Hello,
    I am very new to the whole SSL process, so please have patience. :) Anyway, I would like to know, how do I setup an https:// for a single reseller on my web server? Also, how would I setup https:// for a single client? Or allow my reseller to give https? What is this process and where do companies like Verisign (http://verisign.com) and Thawte (http://thawte.com) come in?
     
  2. elliotcooper

    elliotcooper Well-Known Member
    PartnerNOC

    Joined:
    May 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    When you use an https:// URL you are doing two things. You are encrypting the data between the server and the browser and the identity of the server is authenticated. The former is carried out using the a .key file and the latter is carried out using a .crt (certificate) file.

    The eay that the certificate authenticates the site is that it has to be signed by a signing authority recognised by the browser. The way that this works is that every browser has a small list of trusted signing authorities, when it gets to an https site it checks that the certificate was signed by one of these authorities. You mention two of these trusted signing authorities Thwate and Verisign. When a certificate is signed by one of them it will trust the certificate and the site. This hapens because these signing authorities will only sign a certificate once they have seen documentry evidence that demonstrates that the holder of the certificate is who they say they are, if they say they are a buisness check that it exists etc.

    So, to install a certificate and start using https you need to first generate you .key file and a .csr (certificate signing request) using the SSL section in WHM. Once you have the .csr file you take it the authority and provide with with the requested documents. They then send you back a signed certificate. You then go back to WHM, and in the SSL section install the certificate by pasteing in the .key .crt files (and a .ca file if you are sent one).

    Certificates are issued per hostname *not* IP addres so they are portable between servers. Also, there are two types of certificates. The cheap option will only work for a single hostname e.g:

    www.domain.com ( https://www.domain.com )
    secure.domain.com (https://secure.domain.com )
    shop.domain.com ( https://shop.domain.com )

    etc. It will only work for one of these and no other, you have to be sure that it is the one you want before you generate the .key and .csr file. As an asside, the often confusing name for the hostname that you want to use is the 'common name'.

    The second more expensive (usually 10X) is a wildcard certificate. With this you will be able to use:

    *.domain.com

    where '*' is any set of characters you want. If your reseller gets a wildcard certificate then they can offer a shared certificate to their users, e.g.

    user1.reseller-domain.com
    user2.reseller-domain.com
    user3.reseller-domain.com

    But most people don't want this as they want to use their own domain with the https:// URL.

    You can allow your resellers to generate the .key and .crt files and install the certificates in they reseller WHM accounts if you want to.

    Sorry for the length of this but there's a bit to it. If you need any more information on the specifics of this update this thread and I'll be happy to elobrate further.
     
  3. Heritz

    Heritz Well-Known Member

    Joined:
    Aug 12, 2006
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Is there any way to enable https for a site for free? I mean, when I try to enter to my cPanel, I got into a https conex with no Verisign or any other company key.

    This is very confusing. I've tried reading wikipedia for the SSL and I can't still get detailed information about how this exactly works.
     
  4. designeru

    designeru Well-Known Member

    Joined:
    Nov 2, 2005
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    You have to understand 2 things.

    1. There are self signed certificates (as good as any other ones) but any browser will complain that this are not signed by an athority
    2. There are signed certificates as verisign and so on, same as above buw without the complains from browsers.

    So, you have to get a certificate. CPanel can generate one for you and automatically install it on one of your host. For this, you need only a real ip for any domain you wish to do https.

    Go to your WHM -> Web SSL/TLS -> Generate a SSL Certificate and Signing Request. I think it's well explained in the docs so you can understand what you have to do from here.
     
  5. thinksmart12

    thinksmart12 Member

    Joined:
    May 15, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    So for example if I had started to rent a new dedicated server, then I would have to buy/self sign a certificate to access cPanel through the secure port?
     
  6. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    what designeru tried to explain

    2 types of certs

    self signed (they are FREE and will be genrated automaticly when you generate a SSL signing requst) But they will have the the browser warning

    signed ( NOT FREE you submit the signing request to a certfying authority and the will send you back a signed cetificate) eliminating the warning
     
  7. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    As a general rule you use self-signed certificates anywhere where you already have clients and you need encyption. You use signed/authorative certificates where you have potential clients coming to you.

    For example, your control panel, if you access it securely it uses a self-signed certificate. Anybody that tries to access their control panel is going to get a browser popup window warning of the unsigned certificate. But this can easily be explained because the person accessing the control panel is a client of yours. The client knows you are a reputable person and place so there's no reason to question the unsigned certificate.

    A signed/authorative certificate would be used when you want to accept orders, such as webhosting orders. You want to encrypt the connection through SSL, but you also want the potential customers to feel safe and know that you are a reputable company. With a signed/authorative certificate, there are no browser popups and the user could conceiveably trace the certificate back to the certificate authority and find out who specifically ordered the certificate. This gives the potential customer a sense of security in knowing that they are dealing with someone who is reputable.

    The actual encryption done between a signed and self-signed certificate is the same. There are no negatives to using a self-signed certificate in terms of security. However, generally you just want to use a self-signed certificate in places where you already have a client and can explain to the client the reason for the popup warning.
     
  8. thinksmart12

    thinksmart12 Member

    Joined:
    May 15, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    So how would I get it setup if I wanted only the user's WHM and cPanel interfaces to use https? Also, would I have to setup a self signed certificate for every user's cPanel? How would this work?
     
  9. designeru

    designeru Well-Known Member

    Joined:
    Nov 2, 2005
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Hint!

    You should already be able to login via https to your whm/cpanel.
    Try https://your_domain.com:2087 for WHM and https://your_domain.com:2083 for CPanel.

    If you wish to generate another cert, please go to WHM -> Reset Server Certificates and select WHM/CPanel from there.
     
  10. thinksmart12

    thinksmart12 Member

    Joined:
    May 15, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    So if I get a dedicated server with WHM/cPanel with Fantastico already installed, then it already includes the secure ports?
     
  11. designeru

    designeru Well-Known Member

    Joined:
    Nov 2, 2005
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Answer:

    For WHM/CPanel... yes.
     
  12. thinksmart12

    thinksmart12 Member

    Joined:
    May 15, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Ohh, I see now. Is it possible for clients to request and obtain their own certificates through cPanel or do I have to install each one?
     
Loading...

Share This Page