September 27, 2006

How to set up a secure certificate

by Brian Turner

If you're new here, you may want to subscribe to my RSS feed. Thank you for visiting!

Secure ordering online

When you operate an ecommerce site, the likelihood is that you’ll need to use a secure server to take orders with.

Actually, it’s pretty essential.

Even if you don’t technically need a secure server connection for online payments, your online customers will almost certainly demand one, to ensure that their personal details - not least credit card information - is not openly available online for hackers.

So it’s now a matter of routine that any ecommerce site should use a secure connection for ordering.

The SSL Cert

A secure server connection requires a SSL Certificate.

Setting up a SSL cert involves even more fun technical terms such as CSR request, RSA key, and CRT (Self Signed Certificate).

It sounds pretty scary and intimidating if you’ve not set up a SSL cert on your server before, so this should help explain how to do it.

How to set up a SSL cert

Before we even buy a SSL cert, we need to generate a certification request from the server you’ll be hosting your website on.

Geotrust, a major SSL cert vendor, provides information on installation, so if you’re using command line login on your server, these should be useful to you.

We’ll assume that you’re not used to command line operation of your server and need help.

The first option is easy - simply email your webhost, and ask for a SSL certification request - a CSR. If you do so, be aware that you’ll need to provide some business details for the request.

Another option for those using the WHM/CPanel website admin panels on a reseller account, is to generate the CSR yourself.

Simply login into WebHostingManager (WHM), and scroll down the left-hand options (often near the bottom), and click on “Generate a SSL Certificate and Signing Request”.

NOTE: Some webhosts don’t have this feature enabled, so you’ll have to email them directly.

Information required for a certification request

Whether you email your host, or use WHM to generate the CSR, here’s the information you’ll need:

Email address for the certificate to be sent to
Hostname to make cert for
Company name
Division
City
State
Country

You may also be asked for an email and password for the CSR to be generated.

NOTE: Although most of the entries should be self-explanatory, there are a couple of issues you need to take very carefully into consideration.

Firstly, the Hostname is your website, without the HTTP or HTTPS and forward slash. And it’s very important to note that “www.mydomain.com” is a very different hostname to just “mydomain.com”. So decide which version you want to follow your HTTPS:// address.

Secondly, there’s a simple pitfall on country codes - and that’s if you’re in the UK, the country code is not UK, but GB. Make sure you get that right, or you’ll invalidate your certification request.

Now, if you asked your webhost to provide the CSR request using the above details you provided them with, you should now have an email with your CSR.

If you’re in CPanel, simply generate the request by inputting the information as requested and it will be sent to you via the email you provided.

What a CSR looks like

The CSR should look something like this:

—–BEGIN CERTIFICATE REQUEST—–
MIICHTCCAYYCAQAwgacxCzAJBgNVBAYTAkdCM
RswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZX
IxDTALBgNVBAcTBEJ1cnkxEzARBgNVBAoTCkEyQ
iBPZmZpY2UxEzARBgNVBAsTCkEyQiBPZmZpY2Ux
HDAaBgNVBAMTE3d3dy5hMmJvZmZpY2UuY28ud
sxv7HRtSuY9yofEesW9dhhG0jddWeVaqYXNsECQ
QDOdaKPphZiC1clG5Hb0T4ZrMO8gnqITEUG6GvF
iCzDcfqrGeghNcac2b/SHPIexbGMitlTYTfITihY73
WmmywxAkAUSPo5z/Pa6Hv2ZEEd2Jk5LUxrc3eK
E2YvFxwSoURecuhR+TDwKSlKN9qk6UAORwEEH
TTRZoW2UH/FHPdMQS8BAkEAj0×8AJV8RMcBJkF
VfCP9TkE0c2Jha3GW2WfcocUHggEAMAwGA1Ud
EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA
KU/x7QuawBAHhOWQU0wpgcn5yoqswkxmYwje
RrO6LqEpRT60XJvrirASWOv1i1ytBH3PcB6YU+Ja
xRd1DwawTHtn+JbC3wgiWyp0Yo0hD3KjOz+Qs
uPE0IT53hVFQZULv80nAUDMzq5qlpzr1ELx2i1J
s9kjEX4oSdOFxIONs4w=
—–END CERTIFICATE REQUEST—–

You now have your certification request - well done!

Important note about email

Later on you’re going to need to choose from a very specific set of email addresses. To save on later pain, let’s get this cleared now - you want the email address “admin@yourdomain.com” setting up.

To do this, either:

1. Contact your webhost and have an email address set up on your ecommerce site domain;

2. If you can use CPanel fine, go to the CPanel screen for the domain you’re going to host the ecommerce website on, and go to the “mail” settings.

If “admin@yourdomain.com” doesn’t exist, then the easiest way to set one up is to select the “Forwarders” option from the “Mail” / “Mail Manager Menu”, then set up “admin” on the domain name and redirect email from this address to one of your main email addresses.

How to buy a SSL cert

The next stage is to go buy your SSL certificate.

There are various places to go, but it’s worth considering an SSL cert from Ev1servers, simply because it’s such a cheap and easy process.

You’ll probably be safest opting for the QuickSSL from Geotrust, as it’s a pretty hardy and respectable certificate, that should work fine for most SME ecommerce sites.

Once you’ve selected it, entered your card details, and paid for it, you should then get an email with further information on how to get your SSL certificate.

What to do with a CSR

If you bought the QuickSSL, your order email from EV1servers should include a link to the Geotrust site. If it doesn’t then contact EV1servers immediately.

Presuming all is fine, follow the link to the Geotrust site link. We’ll now find out what the CSR was for.

Setting up a SSL order

We’ve completed the SSL order and we have a CSR.

What we need to do now is add both together so that you can get an actual SSL certificate that will work uniquely with your ecommerce site.

Following the link into the Geotrust site, you’ll now be asked to set up your contact information. Go through that as required.

When you’re asked to provide your CSR, paste in the CSR in full that you got either from your webhost or generated yourself.

IMPORTANT: If the site won’t accept your CSR, then contact your host or go back to WHM immediately and work out what you did wrong (common mistakes being including http:// or https:// in front of your hostname, or else using the wrong country code - ie, UK instead of GB).

If the CSR is accepted fine you should then be asked to set up a contact for sending the actual certificate to.

VERY IMPORTANT: It’s very important at this stage to note that Geotrust will not allow you to chose a customised email - you *must* use an email address in a set given format.

Commonly, they will require “admin@yourdomain.co.uk” or “admin@www.yourdomain.co.uk”.

This is why earlier I advised you to set up the admin email account via your webhost or directly on CPanel.

If you do not have the correct designated email set up, you will not be able to receive your SSL certificate code!

If you do not have this email already on your website hosting account, then get it set up ASAP as described.

Presuming you followed instructions, select the appropriate email option - if admin@mydomain.com then it’s the Level 3 email option.

Once you’ve gone through that stage, you’ll go to phone verification.

SSL cert phone verification

For security purposes, you may have to undergo phone verification here.

It can look daunting, but it’s a simple step, really, and you don’t even need to use the phone number you set up as a contact in either the CSR or SSL cert order.

All you need to do is ensure that you have access to a phone and enter the number.

NOTE: When purchasing a Geotrust SSL cert, you don’t need to enter the country code, and if using a UK number, you don’t need the zero in front of the area code - but you must put the area code without the zero in brackets.

So if the number you wish to use were: 01667 455512
then you would simply enter: (1667) 455512

The phone authentification is pretty simple, and once you’ve followed the instructions on screen, you should have the actual certificate emailed to your admin email address as described above.