Page tree
Skip to end of metadata
Go to start of metadata

 

For cPanel & WHM version 11.50

What is SSL/TLS?

SSL performs several functions to help secure your server.

SSL/TLS (Secure Sockets Layer/Transport Layer Security) encrypts information that a visitor’s web browser transmits to a web server. Use these protocols to protect against electronic eavesdroppers. Protect all of the sensitive data (for example, credit card numbers, and login information) that you transmit over the Internet with SSL/TLS.

Both of these protocols initiate a “handshake,” during which your server and the user’s computer agree on specific conditions. These conditions include a set of public and private keys that the two computers use to encrypt and decrypt messages that they send during the secure session.

You can set up SSL/TLS for your server in WHM's SSL/TLS interface (Home >> SSL/TLS). This interface allows you to configure how SSL/TLS certificates run on your server.

What is an SSL certificate?

An SSL certificate is an electronic document that uses the .crt file extension. This document binds a public key to an identity that consists of an email address, a company, and a location. This electronic document is a key piece in an authentication process.

SSL certificates provide public information about the security of a domain, server, or service. There are two parts to a secure certificate. Both parts are important to protect sensitive data.

  • Encryption — Encodes data to ensure that no one who intercepts the transmission can understand it.
  • Identification verification — Ensures that you connect to the correct server.

What is a Certificate Authority (CA) bundle?

A Certificate Authority (CA) bundle is a file that contains the following details about the SSL certificate:
  • Who issued it.
  • Any certificates of the authority that issued it.
  • The "chain of trust" for the issuer.

    Note:

    A certificate authority can vouch for other certificate authorities, which results in a "chain of trust." In order for a certificate authority to sell certificates, another certificate authority must vouch for them.

  • Certificate revocation lists (CRLs).
Web browsers have a built-in list of trusted certificate authorities, and they use the list to determine whether to trust an authority.

What are limitations of SSL/TLS?

SSL certificates review domain names literally. For example, www.example.com and example.com are two different domains in relation to SSL.

What is SNI support?

SNI (Server Name Indication) support allows you to host multiple SSL certificates for different domains on the same IP add ress. At the start of the "handshake" process, SNI indicates the hostname to which the client connects. Users who are on shared servers that support SNI can install their own certificates without a dedicated IP address.

In order to experience the full benefit of SNI, your server must run an operating system that supports this functionality, such as CentOS 6.

What is a multi-domain or UC/SAN SSL certificate?

Multi-domain certificates are SSL certificates that allow you to secure multiple, potentially unrelated domains with a single certificate. This includes UC/SAN certificates and wildcard certificates. Unified Communications/Subject Alternate Name (UC/SAN). Certificates are SSL certificates that allow you to specify a list of hostnames that the same certificate protects.

Note:

You must reissue these certificates each time that you add a new hostname.

What is a wildcard SSL certificate?

A wildcard certificate allows you to install the same certificate on any number of subdomains if they share an IP address. You can apply a wildcard certificate to services in WHM’s Manage Service SSL Certificates interface (Home >> Service Configuration >> Manage Service SSL Certificates).

  • For example, you can use a wildcard certificate for *.example.com to securely connect to mail.example.com and www.example.com, but not to example.com.
  • The root user may install a wildcard certificate on a collection of subdomains that are associated with a single root domain on multiple IP addresses. If this configuration uses multiple IP addresses, a user on the server must not own the root domain.

What is the difference between a wildcard and a webserver certificate?

Webserver certificates only allow you to secure a single domain. Wildcard certificates allow you to secure a domain and an unlimited number of subdomains. For example, if you wish to secure store.example.com and blog.example.com, you can use a single wildcard certificate to do so. However, each subdomain requires its own dedicated IP address.

What is a shared SSL certificate? How do I install one?

A Shared SSL Certificate is an SSL certificate that is installed on the server's hostname. If the server administrator enables the Apache mod_userdir Tweak, all of the users on that server can use a Shared SSL Certificate to access their sites securely via their user directories. For example: https://hostname.example.com/~username

After you install the certificate, set the certificate as shared in the Manage SSL Hosts interface (Home >> SSL/TLS >> Manage SSL Hosts).

Self-signed SSL certificates

What is a self-signed SSL certificate?

A self-signed SSL certificate is an SSL certificate that does not verify the identity of the server. You can create your own self-signed SSL certificate in WHM's Generate an SSL Certificate and Signing Request interface (Home >> SSL/TLS >> Generate an SSL Certificate and Signing Request).

Notes:

  • A self-signed certificate has a label of “self-signed,” which is the equivalent of someone who claims that they are who they say they are.
  • If you choose to use a self-signed SSL certificate, you can secure a connection to the site, but you cannot verify the identity of the site. As a result, browsers warn users about the authenticity of the server that they want to reach.

What is the difference between a self-signed certificate and a purchased SSL certificate?

Based on the needs of your website, you may decide to either create a self-signed certificate or purchase an SSL certificate. Because a purchased SSL certificate verifies the identity of the server, it is more secure.

  • If your site only handles minimally sensitive data, it may be appropriate to create your own self-signed certificate.
  • If your site handles extremely sensitive data (such as credit card information), purchase an SSL certificate to create a more trustworthy connection for your customers.

What can I do with the initial self-signed certificate?

Trustwave contacts the purchaser after the order goes through. Trustwave does not automatically generate the certificate as soon as you purchase it. Instead, they send the Trustwave-signed certificate to the email address that you entered during the order process.

For more information, read our Purchase and Install an SSL Certificate documentation.

How to troubleshoot an SSL installation

The following sections describe some common certificate installation issues and how to fix them:

My certificate will not install — I receive a message about a certificate/key mismatch.

If you receive the modulus mismatch or key file does not match the certificate error messages, then the private key that you entered did not generate the certificate that you wish to install. The correct private key may exist in a different file.

WHM may automatically complete the Private Key text box when you attempt to install a certificate. To properly install the certificate, paste the private key that you generated in the Private Key text box in WHM's Install an SSL Certificate on a Domain interface (Home >> SSL/TLS >> Install an SSL Certificate on a Domain).

My certificate will not install — I receive a message about a dedicated IP.

SSL only works with one certificate per IP address. Each cPanel account is on a single IP address, which means that you can only have one certificate per account. If you experience problems with a subdomain, assign a dedicated IP address to it. When you complete this process, you can install a certificate as you would for any other cPanel account.

My certificate installed, but my visitors receive warnings about a self-signed certificate.

The following behaviors are acceptable for self-signed certificates:

  • Typically, browsers do not trust self-signed certificates, even though, in terms of security, they are acceptable.
  • Because browsers do not trust these certificates, your visitors will see a warning message.
  • If you do not want visitors to encounter this warning, purchase an SSL certificate from an SSL provider.
    • If you choose to do this, do not remove the installed self-signed certificate. Instead, purchase and install the additional certificate in WHM's Install an SSL Certificate on a Domain interface (Home >> SSL/TLS >> Install an SSL Certificate on a Domain) to purchase the certificate and install it in addition to the existing certificate.

My certificate installed, but my visitors see a warning about a domain mismatch.

It is likely that you have a self-signed certificate or a signed certificate that does not match the domain name.

  • This warning notifies visitors that the name on the certificate does not match the name of the domain that they tried to reach.
  • This should not be a security issue when you log in to a site's cPanel interface.
  • Before they proceed, visitors can check to make sure that the SSL certificate pertains to the domain of the correct host.
  • Visitors who are concerned about security should contact the host to make sure it is safe to proceed.

To identify your hosting provider, enter your domain name at WhoIsHostingThis.com

My certificate installed, but visitors who try to securely access other sites on the shared IP address can only see the site with an installed SSL certificate, not my default domain.

If you have multiple sites that share an IP address but only one domain with an installed SSL certificate, you may have this problem. Apache cannot serve unsecured websites through a secure protocol.

For example, you may have the following setup:

IP addressDomainSSL status
1.2.3.4example.comInsecure
1.2.3.4domain.comSecure
9.8.7.6example2.comInsecure
9.8.7.6domain2.comInsecure

If this setup is similar to your shared IP address’ domain structure, expect the following behavior:

Warning:

If you enter https:// before a domain name, the browser uses the HTTPS protocol, which is secure. If you enter http:// before a domain name, the browser uses HTTP, which is not secure.

ProtocolIP address or domainApache will serve:
https://1.2.3.4domain.com
http://1.2.3.4The default page redirect, or example.com.
https://9.8.7.6

An error message.

Note:

Because Apache cannot serve an unsecured website with a secure protocol and there are no secure sites on the shared I P addressApache serves an error message.

http://9.8.7.6domain2.com
https://example.com

domain.com

Note:

Because Apache cannot serve an unsecured site with a secure protocol, Apache defaults to the secure website on the shared IP address.

http://example.comexample.com
https://domain.comdomain.com
http://domain.comdomain.com
  1. Select the Pre Virtual Host Include option.
  2. Select the Apache version from the menu. We recommend that you select All Versions.

  3. Enter the following text in the available text box:

    <VirtualHost IPADDRESS:443>
      ServerName HOSTNAME
      DocumentRoot /usr/local/apache/htdocs
      ServerAdmin EMAIL
      <IfModule mod_suphp.c>
        suPHP_UserGroup nobody nobody
      </IfModule>
    	SSLEngine on
    	SSLCertificateFile SSLCERTIFICATEFILE
    	SSLCertificateKeyFile YOUR-SSLCERTIFICATEKEYFILE
     </VirtualHost>
  4. Click Proceed

  5. Click Update.

Note:

This example uses the following values:

  • IPADDRESS represents your server's IP address.
  • HOSTNAME represents your server's hostname.
  • EMAIL represents your contact email address.
  • SSLCERTIFICATEFILE represents the full file path to your SSL certificate.
  • SSLCERTIFICATEKEYFILE represents the full file path to your SSL certificate's key.

After you save the Include file in httpd.conf, visitors gain access to unsecured sites even if they use a secure protocol. For example, if example.com is your default website, the system redirects a visitor who enters https://1.2.3.4 in their web browser to  example.com .

When I log in with https, I get a certificate mismatch warning. Is it okay to ignore this and log in?

Your web host likely uses a self-signed certificate, or a signed certificate that does not match your domain name. This warning exists to notify you that the name on the certificate does not match the name of the domain that you wish to visit.

Check to make sure that the SSL certificate is from a domain that belongs to your web host before you proceed. If you are concerned about security, contact your web hosting provider to confirm that you can safely proceed.

What do I do if my system fails and I do not have my Trustwave authentication data in WHM?

If you have suffered a serious drive failure, you may lose this data.

If you can access the old drive, the system stores your authentication data in the /root/.trustwavereqs file.