Installing a new SSL certificate for a website can be a tedious, time consuming task. Because SSL certificates serve such a vital purpose (securing a website for things like stores, banks, etc), we must pay close attention when setting them up to ensure that every detail is 100% correct.
If you are looking for information about what an SSL certificate actually is or how it works please see our article What is an SSL Certificate?
Step #1: Does the Site Need a Dedicated IP Address?
Thanks to the Server Name Indication protocol (SNI), in many cases it no longer is necessary for a site to have a dedicated IP address to utilize an SSL certificate.
If your site and server satisfy all these conditions, then you can take advantage of SNI and serve multiple SSL-protected sites on the same IP address:
- The server’s operating system must be CentOS 6 or higher
- The server’s cPanel version must be 11.38/40 or higher
- The version of Apache running on the server must be 2.2 or higher
- You only need to guarantee support for modern, currently supported web browsers and operating systems.
It’s the last requirement that’s most likely to present a challenge, but you will want to note that any version of these browsers:
- Internet Explorer since IE7 (on Windows Vista or later)
- Firefox since version 2
- Chrome since version 6
- Safari since version 3
- the default iOS browser since iOS4
- the default Android browser since Honeycomb
- the default Windows Phone browser since Windows Phone 7
will support SNI by default.
If your server meets the requirements for SNI and you don’t need to maintain compatibility with unsupported browsers, then you can skip ahead to Step #3.
If you find that you do have to ensure compatibility with obsolete browsers or unsupported operating systems, then you will not be able to take advantage of SNI and will need to ensure that each SSL-protected site has a dedicated IP address.
Step #2: Assigning a Dedicated IP Address
Log in to your Web Host Manager (WHM) and find the navigation section on the left side called IP Functions. In that section click on the Show IP Address Usage link as indicated below:
Find the domain in question in the list that appears, and make sure it is the only account listed for that IP address. Example below:
Please note: The actual count of accounts may vary, but as long as there is only one primary domain name listed here you should be fine.
If the domain is NOT on its own IP address, you will need to change the site’s IP.
It is critical to note that you cannot just change a domain’s IP address without temporarily taking down the website while the new DNS settings propagate across the entire Internet. If you find yourself in this situation, the best bet is to lower the domain’s “Time To Live” (TTL) setting to a low value like 300 seconds (you can use WHM’s DNS zone file editor if your server is also running the domain’s DNS), and then wait until the following day to make the actual IP address change.
Step #3: Generating the Certificate Signing Request (CSR)
A CSR is a digitally signed file that is used to apply for an SSL certificate from a certificate vendor. If you would like a much more technical explanation please see Wikipedia.org Certificate Signing Request Info.
In WHM, find the navigation section labeled SSL/TLS and click on the link marked Generate an SSL Certificate and Signing Request as indicated below:
The link will take you to a form that will ask for several pieces of information:
If you check the When complete, email me the certificate, key, and CSR box, you can enter an email address here to which the server will deliver the finished CSR.
The default value of 2048 is fine.
The domain name(s) that will be using the new certificate. If you want the certificate to cover both www.yourdomain.com and yourdomain.com, you must enter it as “www.yourdomain.com” here. If you generate a CSR and order an SSL only for domain.com, then www.domain.com will not be covered by that SSL certificate. If you have any questions regarding this please contact Liquid Web support either by phone or by logging in to your manage account and opening a new help desk ticket.
The city where the business/organization is located. Please make sure this matches the address information found in the domain’s WHOIS information.
The state where the business/organization is located. Please make sure this matches the address information found in the domain’s WHOIS information.
The country where the business/organization is located. Please make sure this matches the address information found in the domain’s WHOIS information.
The name of the business/organization. Please make sure this matches the address information found in the domain’s WHOIS information.
The department/division of the organization that is responsible for the website. “Online” is a suitable value if you have nothing to specify here.
An email address that is also listed in the WHOIS information for the domain you are working with. Please make sure this is a valid email address.
A password to be used as part of the encryption mechanism for the CSR. Please be sure to write down this password and/or store it somewhere safe.
When you have finished filling out the form (and double checking what you entered for accuracy!) click on the Create button.
As long as there are no errors in your input, you will be presented with a summary page showing the three parts you just created:
1. Signing Request – The CSR
2. Certificate – A self-signed certificate generated by the server
3. Key – The Private Security Key
The server will email a copy of these three parts to the email address you entered above if you selected that option. Be sure to hang on to the email or copy and paste the three parts into a backup text file.
The Signing Request (CSR) is the part you will need to order the actual certificate, regardless of where you choose to order it.
Step #4: Using the CSR to Order the SSL Certificate
Ordering the Certificate Through Manage
Once you’ve obtained your CSR, you can order the SSL certificate right from your Manage interface.
Log into your Manage dashboard and click on the Create button at the top left, then select SSL Certificate from the list of options.
You then can paste your CSR into the Manual field on the Order an SSL Certificate screen, select the length of time for which you’d like the certificate to be valid and finally click the Purchase SSL Certificate button to order the certificate and have it charged to your card on file.
There are three ways to do this:
- DNS Record: This method requires you to add a text record (TXT) to the authoritative DNS zone file for the domain. If the site is using Liquid Web nameservers you can do this in Manage by clicking on Domains in the left menu and then selecting the DNS tab.
- HTML Meta Tag: Requires you to add a meta tag into the head section of the index page on your website.
- E-Mail: An automated email will be sent to an authoritative address for the domain containing a link which you can click on to verify the certificate. Please note that the email verification option does not allow you to specify a custom address to which the verification email will be sent, you must choose from among a list of addresses considered to be authoritative, such as webmaster@, admin@, administrator@, etc.
To use one of the manual verification methods, you will need to obtain the verification data to add to the site’s DNS record or site code or specify the email address to which the verification link will be sent.
To do that, click on Overview in the left menu of your Manage dashboard, click on SSL Certificates under the Services section and then click the Dashboard button.
Click on your domain name and change the Method under the Verification section to your desired method: DNS Record, HTML Meta Tag or E-Mail.
Changing the verification type will show you the record expected for that method, or allow you to select the email address to which the verification link will be sent. Again, please note that the email verification option does not allow you to specify a custom address to which the verification email will be sent, you must choose from among a list of addresses considered to be authoritative, such as webmaster@, admin@, administrator@, etc.
Ordering the Certificate from Another Vendor
You can take the CSR and order your SSL certificate from any SSL provider.
While you are at the website of the provider, be sure to grab their “Certificate Authority Bundle” (CA Bundle). While this is considered optional, it is strongly recommended that the CA bundle be installed along with the rest of the certificate; otherwise modern browsers may display security warnings.
Unfortunately each company/vendor has a different layout for their website, so we cannot provide you with specific instructions for every one of them. If you have trouble ordering the certificate, each vendor provides some type of support you can contact for help with using their website. If you find that you need additional assistance, a member of Heroic Support® can help you order and install an SSL certificate through GlobalSign or, should you prefer, even do so on your behalf.
Step #5: Installing the SSL Certificate
Log in to your server’s WHM, find the SSL/TLS navigation section again, and this time click on the link called Install an SSL Certificate on a Domain as pictured below:
This will take you to a page that will ask for the parts of the certificate and the related domain information.
Gathering the Information Automatically
On the installation page, paste your SSL certificate into the Certificate field, then click the button labeled Autofill By Certificate.
Because you generated the CSR on the server, the Domain and Private Key fields should pre-populate.
Paste the vendor’s CA Bundle into the final text box labeled Certificate Authority Bundle, double check your work, and then click the Install button.
Entering the SSL Cert Pieces Manually
Enter the domain name exactly as the certificate will be using it. If you purchased a certificate for store.domain.com then that is exactly what you will need to enter the domain field. The IP address may appear automatically, but if not enter it in as well (if you need a reminder of what IP address to use click on the List Accounts link and find the corresponding IP in the list). Be sure to also include the domain’s user name on the server in the corresponding text field.
Copy and paste the CRT/Certificate into the first large text box (the certificate that you purchased, not the self-signed file we made earlier in Step 2) and then do the same thing with the RSA key we created earlier. Finally, copy and paste the certificate vendor’s CA bundle into the third large text box and click the Install button.
Be sure you have entered the correct certificate into the first large text box. The correct certificate that you want to use and the self-signed certificate will look very similar even though they behave very differently.
If you run into any errors after clicking submit be sure to check all the input boxes for any unnecessary spaces or blank lines both before and after the text in the box.
Congratulations, your new SSL certificate is installed and running! To test, visit your site using https:// instead of the regular http:// in front of the domain name.