Secure Hosting

From DreamHost
(Redirected from Public Key Certificates)
Jump to: navigation, search

Overview

Secure Hosting allows your site to be accessed using the HTTPS protocol which encrypts the data transmitted between a visitor's web browser and your website. This is accomplished by adding an SSL certificate to your domain. Most often, the HTTPS protocol is used with eCommerce web sites that sell products/services over the internet. The reason for the increased security is to protect the privacy of a visitor's/customer's transmission of personal, confidential, financial, or billing (credit card) information when making a transaction on a web site.

On a more technical note, SSL (Secure Sockets Layer) is is the predecessor of TLS (Transport Layer Security). Both are cryptographic protocols designed to provide security over a network.

DreamHost allows you to set up Secure Hosting (which creates a free self-signed SSL certificate) for any domain/subdomain that you are hosting under any active paid hosting plan.

Important icon.png Important: For detailed instructions on how to add an SSL certificate to your domain, renew an SSL certificate, or generate a CSR, please review the following wikis:


Considerations and Caveats

The following are a few things you should be aware of before purchasing an SSL certificate.

Wildcard Certs

The Secure Hosting service that DreamHost offers does not support wildcard-type (*.mydomain.com) SSL certificates. This means each domain/subdomain that you set up Secure Hosting on requires its own SSL certificate.

Single vs. Separate Secure Sites

It's usually a good idea to create a single site that uses both HTTP and HTTPS. For example, some site owners create a completely new subdomain to host the secure site such as "https://secure.mydomain.com". They may not even set up a regular/insecure option for this subdomain. Or, a redirect will be set up on the primary domain that redirects connections to the secure subdomain. However, this type of configuration can be difficult to manage and most modern shopping cart applications (such as Zen Cart) do not require a separate subdomain. When possible, DreamHost recommends that you configure hosting on the same URL as the main site.

Forcing or removing the www subdomain

DreamHost also recommends that you set up Secure Hosting which is consistent with your main domain's hostname, so that the URL either forces the www subdomain or removes it. You can choose to force or remove it on the (Panel > 'Domains' > 'Manage Domains') page.

  1. Click on the Edit link under the 'Web Hosting' column to the right of your domain.
    The 'Manage Domains' page appears for your domain:
    01 Add a domain.png
  2. Select which one of the three options you would like to use.
    If your domain is configured to be Fully Hosted, you'll see the following options:
    • Leave it alone: Both
    • Add WWW
    • Remove WWW
    If you choose to add or remove WWW, requests will actually work both ways but will be rewritten internally by the Apache web server configuration. Either is perfectly safe to use unless you have installed software on the domain which is configured internally to rewrite its URL to use the opposite of what you've selected in your panel. If that's the case, you must reconfigure your installed software (i.e., WordPress, Joomla, ZenCart, and so on) to use the URL you have chosen in the panel.
Note2 icon.png Note: When you purchase an SSL certificate, you are given the option to specify your URL, in that you can choose to add the www subdomain or remove it. DreamHost SSL certificates provide an extra feature that allows them to work with both. However, it's recommended that you still set up your Secure Hosting for the correct domain/subdomain and not rely on this feature to catch any mistakes.


Not all traffic is encrypted

Adding an SSL certificate to your domain does not mean all web traffic will necessarily be encrypted. Whether your web traffic is encrypted or not depends on what protocol you use. This protocol is determined by the URL. For example, if you go to http://youdomain.com, your traffic will not be encrypted. Any directory you access under that domain while using http in the URL will also not be encrypted. However, if you use httpS://yourdomain.com, your traffic will be encrypted as well as any directory you access.

Note2 icon.png Note: The 'S' in httpS was capitalized just to make it stand out. The capitalization of the protocol does not matter.


This means you can specify what gets encrypted by choosing which protocol to use in the URL links. You can configure your site to use https when things should be encrypted such as personal and credit card information. Otherwise, you can choose to use http for everything else such as information about a sales catalog. Shopping cart software will build these links according to the configuration you specify.

Private Keys

Private keys are used to encode Certificate Signing Requests (CSR) which in turn are used to generate SSL certificates. The private key should always be kept private and never divulged to anyone. This is one of they ways that public key encryption is used to secure data. Only an SSL certificate that was generated from a CSR (that was encoded with your private key) can be installed on DreamHost's servers. If the SSL certificate and private keys do not match, the installation will fail. Since all communications with the DreamHost panel are automatically encrypted, storing your public keys in the panel is a safe place to keep them.

Using a DreamHost SSL certificate with another company

If you purchase a signed SSL certificate from DreamHost within the panel, the certificate is intended to be used within the DreamHost system and will be automatically installed in the Secure Hosting configuration of the domain it was purchased for. Although it is possible to purchase a signed SSL certificate from DreamHost and then use it elsewhere, this is a complicated process which support does NOT recommend unless you are very familiar with how this is done. Please note that if you want to purchase a signed SSL certificate from DreamHost and use it at another host, support cannot provide assistance with this.

SNI

Unique IPs are most commonly used with domains that have Secure Hosting enabled. While it is possible to use Secure Hosting without a Unique IP, some older browsers which do not support Server Name Indication display a certificate warning when viewing your site.

The following browsers do NOT support Server Name Indication (SNI):

  • Internet Explorer (any version) on Windows XP or Internet Explorer 6 or earlier
  • Safari on Windows XP
  • BlackBerry OS 7.1 or earlier
  • Windows Mobile up to 6.5
  • Android default browser on Android 2.x (Fixed in Honeycomb for tablets and Ice Cream Sandwich for phones)
  • wget before 1.14
  • Java before 1.7
  • Nokia Browser for Symbian at least on Series60
  • Opera Mobile for Symbian at least on Series60

For more information, please see this wiki article on SNI to view unsupported SNI combinations.

Costs and Requirements

Unique IP

A unique IP address is NOT required to enable Secure Hosting. However, if you plan to use an eCommerce application we strongly recommend that you add a unique IP address to provide maximum compatibility with all internet browsers.

For more information about Unique IP addresses (including instructions for adding one to your domain), take a look at our Unique IP wiki.

Self-signed vs. Professionally-signed Certificate

You have the option to create a free self-signed certificate or a paid professionally-signed certificate for your domain. They function the same, but if you choose to use a free self-signed certificate, users will see a warning message in the browser when visiting the site.

The the following warning message appears in FireFox when visiting a site using a free self-signed certificate:
02 Secure Hosting Firefox Warning.fw.png

Potential customers might be discouraged by a certificate warning/error message and may not wish to do business with your site when they see this. If you intend to do business over the internet, especially if you're going to handle electronic transactions, then DreamHost strongly recommends that you purchase a signed SSL certificate for your domain.

You can add a self-signed certificate by adding Secure Hosting to your domain on the (Panel > ‘Domains’ > ‘Secure Hosting’) page. Once you add it, a FREE private key, Certificate Signing Request (CSR), and self-signed SSL certificate are automatically generated and installed for you when you initially set up your Secure Hosting.

If you’d like to purchase a professionally-signed certificate:

  • You must first add Secure Hosting to the domain.
  • You can then purchase a professionally-signed certificate on the same Secure Hosting page.
  • The cost for a signed certificate is $15/year.

Troubleshooting unencrypted elements

A common issue after adding an SSL certificate is that your browser still shows your site as insecure. In this example, an index.html page was created with the following code from w3schools.com image tag

<img src="http://www.w3schools.com/html/pic_mountain.jpg" alt="Mountain View" style="width:304px;height:228px;">

Notice how the URL is directly linked with 'http' at the beginning. When visiting the site in Firefox, the following is displayed:

01 SSL troubleshooting.png

You can see the padlock icon in the top left of the browser shows a warning icon instead.

Cause of this error

If you click on the warning icon the text explains that there are 'unencrypted elements' on the page you're viewing.

From the example above, this is happening because the image was linked using 'http' and not 'https'. Another way to confirm what on your site is linked insecurely is to use the following site:

Fixing unencrypted elements

There are two solutions:

  • Link all external image files using 'https'. This is called an 'absolute link'
  • Link all internal image files (files on your web server) using relative links.

See Also