How Secure Web (SSL) Works

From XMission Wiki
Revision as of 13:35, 15 November 2018 by Jab (talk | contribs) (Purchasing your own Certificate)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Overview

Most web sites will use SSL encryption for collecting personal or confidential information. You'll most often see the use of SSL encryption when purchasing something online or viewing private statistics or documents. You'll notice that the URL (or web address) will start with "https://" instead of "http://". Your browser will recognize this is secure. The process is usually very smooth on the client's side. (This may be an option that you're looking into for your web site hosted by XMission.)

In more detail, SSL, Secure Sockets Layer, is the leading security protocol on the Internet. When an SSL session is started, the browser sends its public key to the server so that the server can securely send a secret key to the browser. The browser and server exchange data via secret key encryption during that session. This is designed to prevent eavesdropping, tampering, and message forgery.

An SSL certificate is a unique digital ID that can be used to verify the identity of a person, web site, or JavaScript/Java Applet. The certificate always includes a public key, the name of the entity it identifies, an expiration date, the name of the certificate authority (CA) that issued the certificate, the digital signature of the CA, and a serial number. These certificates use public key cryptography to sign and authenticate signatures and are protected by public and private key pairs linked by cryptographic algorithms. These keys have the ability to encrypt and decrypt information.

SSL Certificates are used for web sites, mail servers, and other Internet based applications.


Your Options

There are a few options available to you for using SSL encryption with your domain hosted on XMission. Here they are:


Buy your own certificate for your domain through XMission

Purchasing your own SSL Certificate is the ideal way to handle SSL requirements for your domain needs. XMission is an authorized reseller of GeoTrust SSL Certificates for your secure server needs. The process to purchase your own certificate is simple and straight forward.

  • Decide which certificate is best for your needs
  • Complete the order form online or by calling your XMission sales agent
  • Pay for the certificate by contacting XMission
  • XMission processed the request to the CA
  • You respond to the authorization email, verifying your identity
  • XMission completes installation

Please Note: A site with multiple domain names pointing to the SSL certified site should purchase a wildcard SSL certificate. Otherwise the site visitor will be presented with a browser error regarding the non-matching SSL certificate.

In most cases this can be done the same business day, largely depending on your ability to respond to the authorization verification email in a timely manner. In some instances, based on the certificate type, there may be additional verification that needs to take place will might add another day to the process. All around, it is pretty simple and painless.

Sales Information and Order Form: http://www.xmission.com/ssl/

Contact Sales: 801-539-0852, 877-964-7746 or sales@xmission.com

XMission's Certificate

Use XMission's certificate for your /~user web site.

You can use XMission's certificate to secure a web page hosted on our servers. This is generally a way for home users, or businesses looking to save money, to securely encrypt data without having to purchase an SSL Certificate. To do this, change the URL's of the pages you wish to secure to https://www.xmission.com/~username/securepage.html where you replace username with your XMission username and securepage.html with the page you wish to secure. For more details about using this method, please refer to the Secure Web (SSL) Tutorial.

This method can be problematic for you if you have your own www domain name in use. Reason being, you must use the XMission domain in the URL instead of www.yourdomain.com. Secure Certificates are very affordable and we would suggest you consider purchasing one through XMission.


Use an XMission generated certificate for your domain

If you have your own domain and you do not wish to use the XMission domain in the pages you wish to secure, you may get a certificate signed by XMission. A certificate signed by XMission is free of charge to any XMission customer. Once again, however, there is a problem with this method. Your visitors will be prompted with "Unknown Authority" (or something similar, depending on the browser used) when they first visit the secured pages. This has the possibility of scaring off potential clients or customers that are easily spooked by "hackers" or viruses. A certificate signed by XMission, however, is just as secure as a certificate signed by a public CA. You can request a certificate signed by XMission by filling out the request form.


Purchasing your own Certificate

Buy your certificate through an alternate CA and have XMission install it

The last means of using SSL with XMission would be to purchase a signed certificate and key from GeoTrust or another CA. When this is done, you will need to upload the signed certificate (public key) and the RSA key (private key) in PEM format. To make this process more secure, you may request that XMission generate the RSA key to be kept on XMission and send you the unsigned certificate. You can then have the certificate signed and returned to XMission with less threat of the RSA private key (which will not leave XMission's hands) being seen by another party.


To complete SSL Certificate process, please email ssl@xmission.com with the following information:

  • Do you want a certificate signed by XMission, or signed by another CA such as GeoTrust?
  • Your XMission account name.
  • Name of organization.
  • Which department of this organization is this for?
  • Website to be certified (i.e. www.domain.com or store.domain.com)
  • Contact email for website. (e.g. webmaster@domain.com)
  • City
  • State
  • Country
  • SSL Certificate Approver Email Address?
    • Must match Approver Email Address options as listed below or be rejected by SSL Registrar (e.g. ssladmin@domain.com, or whois admin/tech contact)
    • Verify the Approver Email Address provided is valid and working as this is where your certificate will be sent.

Approval Email

Approval of Your Certificate Request The SSL service relies upon the Subscriber or the Subscriber's authorized administrator to approve all certificate requests for all hosts in the domain. It is important that to select the correct authorized administrator below. By selecting an authorized administrator, you warrant to Certification Authority that the individual is authorized to approve the request. Requests will not be processed beyond this point if you select an incorrect Approver Email Address.

The following alternate addresses can be used for your Approver Email Address. Again, you must verify the email account has been set up and is available before submitting this order, or the approval email will not be delivered:

admin@domain.tld
administrator@domain.tld
hostmaster@domain.tld
webmaster@domain.tld
postmaster@domain.tld
admin@www.domain.tld
administrator@www.domain.tld
hostmaster@www.domain.tld
webmaster@www.domain.tld
postmaster@www.domain.tld
  • Once the validation email has been approved. The certificate will be sent to the Email Approver Address used when registering the certificate. Please verify this email address can receive email and is checked. If you require assistance let us know.

Please Note: A site with multiple domain names pointing to the SSL certified site should purchase a wildcard SSL certificate. Otherwise the site visitor will be presented with a browser error regarding the non-matching SSL certificate.



Public CA's

Here is a small list of public CA's you can purchase certificates from (in alphabetical order).

Digital Signature Trust Co. , Entrust, Equifax, GlobalSign, Thawte, Verisign


Legacy Shared Hosting