You do not need to understand the theory behind SSL and how it works to install SSL on your servers, you can simply follow a procedure and end up with a working SSL certificate for your website, the things you MUST know are the following. 1- An SSL certificate requieres a dedicated IP address, this is because the browser encrypts the data that contains the virtual host (Domain Name) that is tipically included in notmal HTTP requests, and the server has no way of knowing what website you are asking for other than by it's IP address, you can host as many websites on that IP address as you wish but only 1 SSL certificate can be used with any given IP address. |
This website contains information about Internet Security Certificates from theory to installing them on your website or server.
Tutorials on buying and installing certificates on certain control panels, operating systems, web servers, and other related information are covered in other pages that are accessible from here.
EasyWebDNS sells Domain Validation security certificates for $28.99/year, that is less than $2.5 a month, Even though they are the cheapest on the market, they are also some of the best with 256bit encryption and 99% browser recognition, They also allow an unlimited number of servers with every security certificate. We are not aware of any providers that provide security certificates of the same level cheaper than us, By the same level we mean both the same level of security and the same level of browser recognition |
All tutorials here assume you are generating a "Domain Validation" StarField technologies certificate. But they also apply to other certificate types with little on no modification that will be made clear in the tutorials.
Generating and installing SSL certificates
Installing StarField Security Certificates.
StarField Tech is recognised as a trusted certificate authority by over 99% of web browsers.
1- Installing a security certificate on a Linux Dedicated server with Apache.
2- Installing a security certificate on EasyWebDNS shared web hosting.
3- Installing a security certificate on a Linux PLESK server.
4- Installing a security certificate on a Windows PLESK server.
Self Signed Security Certificates
WARNING: Self signed security certificates will display a warning to every visitor to your website that the owner of the website could not be validated, this will probably result in lost sales (Usually results in no sales) as people cannot trust that they have connected to your website and not to some website that intends to steal there credit card information, or there personal information depending on what you want a certificate for, they can be useful for your own purposes such as a connection between you and your website where you can read the certificate and then instruct your browser to accept it.1- Issuing and installing a self signed security certificate for apache on Linux.
More
1- Decrypting the RSA key
Removing the apache message
Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server subdomain.domain.com:443 (RSA) Enter pass phrase: |
Assuming that your RSA key is stored in the file
/etc/apache2/ssl/mykey.key
To decrypt the file, so that apache does not requer a password with every restart
1- copy the key file:
cp /etc/apache2/ssl/mykey.key /etc/apache2/ssl/myoriginalkey.key
Now, decrypt the key (read from the backup file) into the key file in our config
openssl rsa -in /etc/apache2/ssl/myoriginalkey.key -out /etc/apache2/ssl/mykey.key
Now the encrypted key is in the myoriginalkey.key just in case you need it, and the key used by apache is NOT encrypted
and is in mykey.key file (That apache already uses)
Please note that this does not make your connection less secure, but in the event that someone gets hold of the key file
(That you should protect encrypted or not), they can defeat SSL security
About Security Certificates
Before getting into Security Certificates, let us get SSL out of the way
SSL or (Secure Sockets Layer) also known as TLS (Transport Layer Security) are cryptographic protocols that happen between your web browser and a web server (Web Browsers and web servers are fit for this context, but you can also get your email from a POP3 server via SSL/TLS for example).
The default port for SSL is 443, for a non encrypted connection, the default port is port 80.
Plain HTTP
In a non encrypted http connection, the browser talks to the server on port 80, asks for data in plain text, and gets the data back also in plain text (And images and videos), in this case, your ISP can see the data transmitted between your browser and the web server, even your cookies are visible as they are transmitted with every request to the web server, http may be good for learning from the internet, but they are surely not suitable for transmitting secret information such as your credit card.
HTTPS, SSL/TLS connections
From the description of HTTP, you now know that the problem is "How do we prevent eavesdropping when talking to a web server", eavesdroppers may include people at your ISP, people at your ISP's upstream provider, or there upstream provider etc.., So if you are in London, and you are connecting to a web server in Germany, some people in London are technically capable of intercepting your data, as well as other people in Germany, and if the connection passes through routers and nodes in france, some people in france have that technical capability as well.
The answer is Encryption, a bit more complicated than what it may seem at first, but SSL/TLS as a protocol and encryption is beyond the scope of this document, and we only need to know what it is really.
Security Certificates
and there relationship to SSL / TLS
From the above paragraph, we understand that we need an encrypted connection to the server, So our browser connects to a certain IP and asks for an encrypted connection, but it is not that simple
to make this easy to understand, let us immagine that computer connects to the internet like an old phone operator console that connected people together, people asked the operator to be connectied to someone, the operator plugs a wire that connects your phone line to that person's phone and you can then talk.
Although for clarity i will always be blaming your internet service provider, Internet service providers are rarely the ones who are the problem, it is usually stolen domain names, stolen accounts, compromised servers, and other things, but to keep things simple, we will just assume your ISP is speying on you (Which is also valid).
Let us assume you are connected to the internet with "evil isp" that simply listened to your browser's requests and connected you by pushing a plug into a jack to connect you to a certain server, now let us assume Evil ISP routs your requests to xxx.xxx.xxx.xxx to a different computer, You contact that IP address, but it connects you to a different computer and tells you that you are now connected, you think you are talking to X while in reality you are talking to Y, Now you ask X for a secure connection, but Y secretly establishes that connection with you, it is indeed an encrypted connection, but unlike what you think, it is a connection to Y not to X, and Y can hear all the secrets you want to tell X.
The above example is not exactly how it happens, surely the internet does not work by someone manually pushing plugs into jacks and establishing connections, but it is close, infact, the router does what is in theory identical to this by passing your instructions to other routers.
Now you are in trouble, you told Y what you wanted to tell X, but how do we overcome this and make sure we are talking to X person ?
Here is where a security certificate comes into the picture.
A security certificate has advanced security algorithims to sign data with.
X creates 2 secret words, one that is private and the other is public, the public secret word is given to anyone such as your browser.
- Your browser asks the web server for a secure connection
- Your server responds with it's public key and other data (Called a certificate), a signature from a certificate authority is embedded in this certificate.
- Your browser check that the Certificate has not expiered, And that it is meant for the domain name it is trying to connect to.
- Your browser then checks who the Certificate Authority is, and checks if this authority is on it's list of trusted Certificate Authorities, if it is, they start talking on the encrypted connection (SSL / TLS) that they have established.
- If it is NOT on the list of trusted authorities stored in the browser, the browser displays a message saying, the signature on this certificate is one that i do not recognise, what do you want me to do.
NOTE: When we say EasyWebDNS StarField Certificates are recognised by 99% of web browsers, it means that 99% of active browsers on the internet recognise StarField as a certificate authority on there internal list of trusted authorities mentioned in the process above.
So, what happens when the Certificate Issuer is not listed in the browser as a trusted certificate issuing authority ?
A browser will usualy display the probalem, and ask you for your oppinion on weather to trust this certificate or not to trust it, surely you will probably trust a certificate signed by you that you are you, but will your customers trust it, they trust you and that is why you need a certificate to assure them that you are you, but they can not tell if you signed your own certificate because the "Evil Computer" listed above will also attempt to sign a certificate saying that he is you.
Here are some snapshots of some browsers asking the user to review certificates that have been self signed.
Security Certificate levels
This is not to be confused with Security Certificate types below, Security certificate levels are "How much the security authrotiy knowns about you" while Certificate types is how many domains are covered, Subdomains, Multiple Domains, Etc...
Security Certificate types
Domain Validation.
This is an entry type Security Certificate that does the
Copyright SSL Certificates Cheap 2010 - All trademarks mentioned on the website are the property of their respective owners.
Contact Details | Privacy Statement | Prices
Cheap Domain Names | Internet Stats | Cheap SSL Certificates | Domain Name Reseller