SSL FAQ

For WHM version 11.30

This area of WHM allows you to perform several functions to help secure your server.

Introduction to SSL/TLS

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) allow a visitor’s web browser to communicate securely with a web server. These protocols are used to protect against electronic eavesdropping. Email and web browsing are the most common tasks protected with SSL/TLS. All sensitive data (credit card numbers, login information, etc.) that is transmitted over the Internet should be protected by SSL/TLS. TLS is simply the more recent version of SSL.

Both of these protocols initiate a “handshake,” during which your server and the user’s computer will agree upon specific conditions. These conditions include, most importantly, a set of public and private keys that will be used to encrypt and decrypt messages sent between the 2 computers during the secure session.

Limitations of SSL/TLS

  • You can only have one SSL certificate for each IP/port combination. This has many ramifications, including:
    • If a cPanel user wishes to have an SSL certificate installed, he must have a dedicated IP address.
    • Only one domain per account (including subdomains, addon domains, and parked domains) may have an SSL certificate.
  • Typical SSL certificates are very literal when reviewing domain names.
    • For example, www.mydomain.tld and mydomain.tld are seen as different domains

However, you can install the same certificate multiple times on different IP/port combinations. For instance, if you purchase a certificate for your hostname, you can install this certificate for each of the services through WHM >> Service Configuration >> Manage Service SSL Certificates. You can also install this same certificate for users browsing your website, especially if you wish to provide a safe and secure connection.

  • For example, if you have purchased a wildcard certificate for your hostname (let's say myhosting.tld), and you have three different accounts with domains (either a primary, parked, or addon domain) called user1.myhosting.tld, user2.myhosting.tld, and user3.myhosting.tld, you could give each of these accounts a dedicated IP address and install the wildcard certificate on each of them individually.

What is a Wildcard SSL Certificate?

A wildcard certificate is an SSL certificate that can be used with multiple subdomains on a single domain. If you have a wildcard certificate for *.mydomain.tld you can use it to securely connect to mail.mydomain.tld and www.mydomain.tld, but not mydomain.tld.

What is a Multi-Domain or UCC (Unified Communications Certificates) SSL Certificate?

These are SSL certificates that are issued for multiple, unrelated domains on the same server.
  • note Note: cPanel does not currently offer this option through WHM.

What is a Shared SSL Certificate? How do I install one?

Shared SSL Certificate is the name used by the hosting industry for an SSL certificate that is installed on the server's hostname. This way, all the users on that server can use it to access their sites securely via mod_userdir, such as https://hostname.domain.tld/~username

If you are installing a shared SSL certificate, you must write nobody in the User field and the shared IP address in the IP Address field when installing on the Install a SSL Certificate and Setup the Domain page. After you install the certificate, you will need to use the Manage SSL Hosts page to select the certificate as shared.

What is a Self-Signed SSL Certificate?

There are two parts to a secure certificate: encryption and identification verification. The encryption aspect encodes data so that anyone who intercepts the transmission cannot understand it. The identification verification aspect ensures that you are actually connected to the correct server. Both parts are important to prevent compromising sensitive data. When you purchase a certificate, you are purchasing the identification verification part of the certificate. If you do not purchase an SSL certificate, your certificate will be labeled as "self-signed." As a result, browsers will warn users regarding the authenticity of the server they are trying to reach.

You can create your own self-signed SSL certificate at the Generate a SSL Certificate and Signing Request section in WHM. Once a self-signed certificate is generated, it can be installed like any other certificate.

Creating versus Purchasing a SSL Certificate

Based on the needs of your website, you may decide to either create a self-signed certificate or purchase an SSL certificate. If your site only handles minimally senstitive data, then creating your own self-signed certificate may be appropriate. If your site handles extremely senstitive data (such as credit card information), you should purchase an SSL certificate. Buying a certificate offers a third-party verification system to ensure visitors the security of your site.

What is a Certificate (CA) Bundle?

There are two parts to a secure certificate: encryption and identification verification. The encryption aspect encodes data so that anyone who intercepts the transmission cannot understand it. The identification verification aspect ensures that you are actually connected to the correct server. Both parts are important to prevent compromising sensitive data. When you purchase a certificate, you are purchasing the identification verification part of the certificate. Browsers have a list of "trusted certificate authorities" built in. Some certificate authorities are not included in these lists. In order for them to sell certificates, they had to be vouched for by a certificate authority that is trusted. This "chain of trust" is represented by the certificate bundle.

Troubleshooting SSL Installation

Here are some common issues regarding certificate installation and how to fix them.

My certificate won't install; I receive a message about a certificate/key mismatch.

An error message regarding a "modulus mismatch" or "key files does not match the certificate" means that the certificate you are trying to install was most likely not generated with the RSA key you are using. The correct RSA key may be in a different file. On occasion, WHM may auto-fill the wrong RSA key when you attempt to install a certificate. To properly install the certificate, you can manually paste the RSA key that was generated during the certificate signing request process into the middle field in WHM's Install a SSL Certificate and Setup the Domain screen.

My certificate won't install; I receive a message about a dedicated IP.

SSL only works with one certificate per IP address, and since each cPanel account is on a single IP address, you can only have one certificate per account. If you are having problems with a subdomain, you will need to assign it a dedicated IP address. When you complete this process, you can install a certificate as you would for any other cPanel account.

My certificate installed, but my visitors are receiving warnings about a self-signed certificate.

After you install a self-signed certificate, browsers may display a warning regarding these types of certificates to your visitors. This is normal for self-signed certificates. Typically, browsers will not trust self-signed certificates, even though in terms of security, they are acceptable. Since browsers do not trust these certificates, they will show a warning to your visitors. If you do not want visitors to encounter this warning, you can purchase an SSL certificate from an SSL provider. Essentially, you will be paying a trusted SSL provider to sign a SSL certificate so your visitors will not see a warning. If you choose to do this, you do not have to remove the installed self-signed certificate; you can purchase the certificate and install it "on top" of the existing certificate using the Install a SSL Certificate and Setup the Domain screen in WHM.

My certificate installed, but my visitors are seeing a warning about a domain mismatch.

It is likely that you are using a self-signed certificate or a signed certificate that does not match the domain name. This warning exists to notify visitors that the name on the certificate does not match the name of the domain they are trying to reach. This should not be a security issue when logging into a site's cPanel interface. Before proceeding, visitors can check to make sure that the SSL certificate pertains to the domain of the correct host. Visitors who are concerned about security should contact the host to make sure it is safe to proceed.

  • Are you unsure of who is your host? You can visit this site for more information.

Topic revision: r4 - 05 Mar 2012 - 15:28:42 - Main.GeorgeAlpizar