Secure Hosting

From DreamHost
Revision as of 08:02, 12 June 2012 by Andrew F (Talk | contribs)

Jump to: navigation, search

Introduction

DreamHost allows you to set up Secure Hosting for any domain/sub-domain that you are hosting (under any active paid hosting plan). Secure Hosting allows for visitors/customers to access that domain/sub-domain using the SSL protocol which encrypts the data transmitted between their web browser and your web site. This is most often used for web sites that are doing eCommerce (selling products/services over the Internet). The reason for the increased security is to protect the privacy of visitors'/customers' transmission of personal, confidential, financial or billing (credit card) information over the Internet.

NOTE: Secure hosting is one of the most complicated features that we provide (aside from the various programming languages). This Wiki article will try to help introduce you to the terminology, technology, policies and procedures that are used to set it up and get things working properly. It's kind of like a "white knuckle" ride; scary the first time, but you get used to it the more you do it! ;-) I would recommend reading over this whole page several times if necessary until it starts to sink in. However, if you do have any questions, feel free to open a Support Request and ask us any questions you may have. See the Contacting Support section below for detailed instructions on how to do that properly.

Announcement

Effective April 5, 2011 ALL new and renewal SSL certificate orders will require Domain Control Validation even if the domain is registered in our system. Also, due to more stringent approval procedures it could take longer for SSL certificate orders to be completed once they have been approved. We apologize for any inconvenience this may cause.

Effective March 27, 2009 we will no longer be purchasing new or renewing signed SSL certificates through GeoTrust, instead reselling Comodo rebranded as DreamHost SSL.

The main reasons for making this change:

  • It's easier! Completely automated ordering, renewal, and installation, right from our panel!
  • What!? You needed more reasons than that!? Come on!

DreamHost SSL signed certificate specifications;

  • Domain validated certificate (single)
  • 2048 bit Industry Standard SSL Certificate
  • Trusted by all popular Browsers
  • 99.3% Browser Compatibility
  • 128/256 bit encryption
  • Support (via e-mail & web)
  • 5-day refund policy

Terminology

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, faxing, instant messaging and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same.

Considerations and Caveats

The Secure Hosting service that we provide for our customers does NOT support "wildcard" (*.mydomain.com) type SSL certificates. That means that each domain or sub-domain that you want to set up secure hosting on will require its own unique IP address and SSL certificate. Please don't contact support asking "when will you provide support for wildcard SSL certificates?", it's probably never going to happen. Sorry.

Some customers set up a completely new sub-domain to host their secure site (ie: "https://secure.mydomain.com/"). They may not even set up a regular/insecure hosting option for that sub-domain. Or they may set up a "redirect" option for the regular hosting that redirects connections to the secure hosting instead. However, this type of set up can be difficult to manage and most modern shopping cart applications (like Zen Cart which is one of our features One_Click_Installs) don't require a separate domain. It's actually easier to configure when the secure hosting is on the same domain as the main catalog site.

For simplicity's sake our recommendation is to set up secure hosting that is consistent with your main domain's hostname.

For example, it's best if your main domain is configured to work either with or without the "www" sub-domain. Since the "www" sub-domain prefix is quite outdated already I would personally recommend using your domain name without "www". You can update the hosting configuration for the regular/insecure hosting of your domain on our CONTROL PANEL by going to menu option (DOMAINS > MANAGE DOMAINS). Click on the "Edit" link under the "Web Hosting" section. If your domain is currently configured to be "fully hosted" you'll see the options on that page to select whether or now you want to use Both, add "www", OR remove "www". If you select either add "www", OR remove "www" requests will actually work both ways but will be rewritten internally by the Apache process to whatever you have the domain configured to use. This is perfectly safe to use, unless you have installed software on that domain that is configured internally to rewrite its URL to use the opposite of what you've just selected. The trick here is to reconfigure your installed software (ie: WordPress, Joomla, ZenCart, etc.) to use the URL you intend to use. Then update the hosting configuration in our control panel to match. Once you've done that you're golden!

Now that you've got your regular/insecure domain set to use with OR without "www" you can set up your secure hosting to match. This will keep things nice and consistent. Consistency is a very good thing!

NOTE: Our (DreamHost SSL) signed SSL certificates do provide an extra feature that DOES allow it to work for both with OR without "www" automatically. However, it is recommended that you still set up your secure hosting for the correct domain and not fall-back on this feature to catch any mistakes.

NOTE: By setting up secure hosting on your domain it does not mean all web traffic will necessarily be encrypted! Whether your web traffic is encrypted or not depends on what protocol you use (which is determined by the URL). For example, if you go to "http://mydomain.com/" (using the "http" protocol) your traffic will NOT be encrypted. Any directory you access (URI) under that domain (while using the "http" protocol) will not be encrypted. However, if you go to "httpS://mydomain.com'" (using the "httpS" protocol) your traffic WILL be encrypted as well as any directory (URI) you access. The S in "httpS" was capitalized just to make it stand out. The capitalization of the protocol doesn't matter. What this all means is that you can specify what gets encrypted by specifying which protocol to use in your URL (links). You can configure your shopping cart software (or whatever you want to use encryption) to use "https" when things should be encrypted (like taking personal and credit card information) and to use "http" for everything else, like your sales catalog, etc.. Shopping cart software will build the links automatically according to the configuration you specify.

If you have not already done so you'll need to add a unique IP address to the domain/sub-domain that you want to set up secure hosting in. You can add one before setting up secure hosting or you can add it during the secure hosting set up process. Whenever you add or remove a unique IP address the DNS information for your domain will have to be updated to reflect this change. As with all DNS changes it can take between 4-72 hours for the DNS changes to fully propagate throughout the Internet. If your domain is configured to use our name servers for DNS resolution (NS1.DREAMHOST.COM, NS2.DREAMHOST.COM & NS3.DREAMHOST.COM) this change is usually transparent. We continue to keep the original hosting services active for 5 days on the old IP address so that there is no down-time during the DNS change propagation. After 5 days the old hosting services are automatically disabled leaving only the new services operational using the new unique IP address. This all happens behind the scenes so you don't really have to worry about it. But many customers ask about this so I figured I'd put it in the Wiki to answer their question. If however there are any problems with the new or old hosting services when DNS changes are made don't hesitate to open a Support Request. See this section for detailed instructions on how to do that properly.

If you're NOT using our name servers for your DNS then you'll need to update your name servers with the new IP address that was assigned to your domain.

  1. Log into our CONTROL PANEL.
  2. If you have more than one sub-account accessible, select the proper sub-account as the "Active Account". NOTE: If you have only one sub-account you can skip this step.
  3. In the left-hand menu column select (DOMAINS > MANAGE DOMAINS).
  4. Click on the "DNS" link for the domain/sub-domain in question. All of the current DNS information for that domain will be listed on that page.

Private keys are used to encode (amongst other things) >>> Certificate Signing Request (CSR) which in turn are used to generate >>> SSL certificates. The private key is something that should be kept very private (obviously). This is one of the ways that public key encryption is used to keep things secure. Only a SSL certificate that was generated from a CSR that was encoded with your private key can be installed on our server. If the SSL certificate and private keys don't match the installation will fail. Since all communications with our control panel is itself encrypted storing your public keys in our control panel is a perfectly safe and absolutely necessary place to keep them.

NOTE: If you purchase a signed SSL certificate from us (through our Control Panel) the certificate is intended to be used in our system and will be automatically installed in the secure hosting configuration for the domain it was purchased for. Although it is possible (in some cases) to purchase a signed SSL certificate from us and take it and use it elsewhere this is a quite complicated undertaking which we do NOT recommend unless you are familiar with how that is done. If you want to purchase the signed SSL certificate from us and use it elsewhere we can NOT provide assistance with that effort.

Costs and Requirements

In order to set up secure hosting a unique IP address is required for the domain/sub-domain.

Don't want to pay for unique IPs? [Vote up the suggestion] to leverage new Apache features that eliminate this need! Until that happens though...

Our costs are as follows;

  • Monthly - $3.95
  • Yearly - $47.40

When the unique IP address is added you have the option to select which billing option you'd like.

NOTE: For customers with our OLD "Strictly Business" and "Strictly Business for Non-Profits" hosting plans you're entitled to one free unique IP address per year. This free unique IP address will be applied to the FIRST unique IP address you set up. You can still purchase additional unique IP addresses and they will be charged at the regular rates. The renewals each year for that unique IP address will be free (as long as you maintain a "Strictly Business" hosting plan).

The unique IP address service will auto-renew at the end of its term (monthly or yearly) and the new charge applied to your account.

A FREE private key, Certificate Signing Request (CSR) and self-signed SSL certificate are automatically generated by our control panel and installed for you when you initially set up your secure hosting.

The FREE self-signed SSL certificate will provide excellent encryption. However, most web browsers will give a certificate warning message saying that the certificate is self-signed and might not be trustworthy. Potential customers will probably be put off by this warning and will not want to do business with your site if they get any certificate warnings/errors. If you intend to do business over the Internet, especially if you're going to take payments electronically then it is strongly recommended that you get/use a signed SSL certificate for your secure hosting.

Set Up

Before attempting to set up secure hosting please familiarize yourself with the information in the section Considerations and Caveats above! It's crucial that the initial set up is done correctly as there are some parameters that cannot be changed afterward (without removing and re-adding your secure hosting configuration).

To set up secure hosting on a domain/sub-domain;

  1. Log into our CONTROL PANEL.
  2. If you have more than one sub-account accessible, select the proper sub-account as the "Active Account". NOTE: If you have only one sub-account you can skip this step.
  3. In the left-hand menu column select (DOMAINS > MANAGE DOMAINS).
  4. Click on the wrench "Add" link (under the "Secure Hosting" section) for the domain/sub-domain in question.
  5. Fill in the fields appropriately and choose the options you want.
  6. Once that's done click on the "Add now!" button at the bottom of the form.

The system will use the information you provided to create a FREE private key, a Certificate Signing Request (CSR) and self-signed SSL certificate. They will be filled in the text fields on that form for you.

The FREE self-signed SSL certificate will provide excellent encryption. However, most web browsers will give a certificate warning message saying that the certificate is self-signed and might not be trustworthy. Potential customers will probably be put off by this warning and will not want to do business with your site if they get any certificate warnings/errors. If you intend to do business over the Internet, especially if you're going to take payments electronically then it is strongly recommended that you get/use a signed SSL certificate for your secure hosting.

Follow this link for step-by-step instructions with screen shots!

Purchasing a Signed SSL Certificate

There are several options if you'd like to replace the self-signed SSL certificate that we originally provide with a signed SSL certificate that will NOT give warning/error messages.

Option 1

"I want to purchase a signed SSL certificate from DreamHost SSL."

First, Set Up the secure hosting service itself. Our system will automatically create a private key, Certificate Signing Request and self-signed SSL certificate for you. See the Set Up section above for detailed instructions.

Step 1 Once you have the secure hosting service set up you can go back to (DOMAINS > MANAGE DOMAINS) in our control panel.

Step 2 Click on that "Certificates" link under the "Secure Hosting" section for the domain in question to enter the order/renewal interface.

Step 3 Check the radio button labeled "Use a professionally signed certificate" and fill in the fields as necessary. This information is used to generate the Certificate Signing Request that will be used to generate your new signed SSL certificate. The current private key installed in the control panel will be used to generate the Certificate Signing Request.

You can then select the term you'd like for your signed SSL certificate (1, 2 or 3 years are available).

Our costs is;

  • 1-year $15.00

NOTE: For customers with our OLD "Strictly Business" and "Strictly Business for Non-Profits" hosting plans you're entitled to one free signed SSL certificate per year. This free SSL certificate will be applied to the FIRST signed SSL certificate you attempt to purchase (each year). You can still purchase additional signed SSL certificate and they will be charged at the regular rates.

Step 4 Once you've got the form filled out properly click on the "Save changes now!" button at the bottom of the page. Within a few minutes you should receive an Order Approval e-mail (from validation@dreamhost.com) to the Domain Control Validation address you selected for this order. NOTE: Make sure that the address you selected is working BEFORE submitting the order!

Step 5 Click on the link contained in the e-mail and copy/paste the confirmation code in order to confirm the order on that web page. You should receive a confirmation that the order has successfully been approved.

Step 6 Within 2-48 hours of successfully approving the order your new signed SSL certificate (and intermediate certificate) should have been installed automatically in our control panel. Most orders are completed and installed within 2 hours of them being approved, however some domains may trigger that our Certificate Authority do an additional "brand-validation" process which can take between 24-48 hours to compete. If you go back and click on the "SSL Cert" icon you should see your certificate details listed which indicates the update was SUCCESSFUL. You should also receive another e-mail with your new SSL certificate information as a final confirmation. The confirmation e-mail will go to the WebIDs contact addresses though, not to the approval e-mail address. This way it shows up in your account support history (in the control panel under (SUPPORT > SUPPORT HISTORY)).

Step 7 Test access to the secure hosting. You may need to refresh your browser if you get any certificate warning messages. If everything is OK then you're done!

However, if you do run into any problems submit a Support Request via our control panel and ask for assistance. See this section for detailed instructions on how to do that properly.

When the term for your signed SSL certificate is getting close to expiring we'll send you renewal notices. You can then follow this same procedure to renew it again if you want. See the Renewals Section for more information.

Option 2

"I want to purchase a signed SSL certificate from some other Certificate Authority."

If you'd rather purchase a signed SSL certificate from some other Certificate Authority you can do that too. You'll need the Certificate Signing Request (CSR) that was generated by our control panel in order to purchase a signed SSL certificate. You can copy that from our control panel, here's how...

  1. Go to menu option (DOMAINS > MANAGE DOMAINS)
  2. Click on the "Certificates" link (under the "Secure Hosting" section) for the domain in question.
  3. Click on the "Manual Configuration" radio button to expose the current certificate information. You'll see several large text fields on that page.
  4. COPY (not cut) the text from the Certificate Signing Request field.
  5. You'll need to paste that into the order form with whatever Certificate Authority you'd like to purchase your signed SSL certificate from.

IMPORTANT: When purchasing a signed SSL certificate you'll need to specify the server type. To use the SSL certificate on our servers you'll need to specify server type = "Apache 2.X w/MOD_SSL". Once you have successfully completed your purchased they will send you your signed SSL certificate. You can then replace the self-signed SSL certificate that we provided with this signed SSL certificate via the control panel. See the instructions in this section for details How To Update Your Certificate.

Option 3

"I already have my own signed SSL cert I purchased elsewhere."

If you already have your own private key, Certificate Signing Request (CSR) and signed SSL certificate (in PEM format) you could install them yourself during the initial secure hosting set up process. Just check the appropriate option on the sign up page and paste that information into the appropriate fields. If you already have your secure hosting set up already you can replace the information in our control panel.

IMPORTANT NOTE: If you already have a signed SSL certificate but do NOT have the corresponding private key then you will NOT be able to install it on our servers.

Option 4

Use a free Class 1 Certificate from StartSSL.com by doing the following:

  1. Create an account at StartSSL.com and backup the certificate that account creation installs in your browser
  2. Validate an email address using the validations wizard in the control panel
  3. Validate a domain name using the validations wizard
  4. Use the Certificates Wizard in the control panel to create a Web Server SSL/TLS Certificate
  5. Select Web Server SSL/TLS Certificate in the drop down box and click continue
  6. Enter and confirm the key password (>10 alphanumeric characters) and record the password somewhere safe
  7. Select the key size and click continue
  8. Click OK in the popup box to continue creating a private key and signed certificate
  9. Highlight and copy text in the text box including the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- parts
  10. Paste the key text into a text file, ssl.key or ssl.key.txt, save it and click continue
  11. Enter the name of the top level domain you validated above i.e. mysite.net then click continue
  12. Enter a subdomain of the top level domain i.e. webmail and click continue
  13. Click continue on the next screen to process the certificate
  14. Highlight and copy text in the text box including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- parts
  15. Past the certificate text into a text file, ssl.crt or ssl.crt.txt, save it and click continue
  16. Return to the StartSSL.com control panel and select the Toolbox tab and Decrypt Private Key (the sixth entry)
  17. Paste the text from ssl.key or ssl.key.txt into the text box and enter the key password from step 3. above then click Decrypt
  18. Highlight and copy text in the text box including the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- parts
  19. Past the decrypted key text to a text file, plainssl.key or plainssl.key.txt
  20. Got to Toolbox StartCom CA Certificates
  21. Download the StartCom Root CA (PEM encoded) file using right click file save as to save ca.pem
  22. Download the Class 1 Intermediate Server CA file using right click file save as to save sub.class1.server.ca.pem
  23. Concatenate ca.pem and sub.class1.server.ca.pem (can be done by adding .txt extensions opening them in notepad and copying sub.class1.server.ca.pem directly after ca.pem with no intervening spaces or carriage returns or use: cat ca.pem sub.class1.server.ca.pem >> ca-certs.pem in linux)
  24. From the Dreamhost control panel under Domains, Manage Domains click the certificates button associated with the domain specified above
  25. Click the Manual Configuration radio button
  26. Leave the certificate signing request text box empty
  27. Paste the text from ssl.crt or ssl.crt.txt into the Certificate text box always including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- header and footer parts
  28. Paste the text from the decrypted key file, plainssl.key or plainssl.key.txt into the Private Key text box including the header and footer then destroy the plainssl file securely (you can always regenerate it from the key password and the encrypted key as described above)
  29. Paste the text from the concatenated .pem files, ca-certs.pem, into the Intermediate Certificate text box including the header and footer parts
  30. Click the Save Changes Now button and wait a minute or two and no more untrusted site issues

Note: This stops the browser error messages when your https site is visited but a Class 2 or better certificate is probably more appropriate for e-commerce applications

How To Update Your Certificate

Ignore the installation instructions provided by your Certificate Authority! We have simplified the procedure considerably!

You can update your SSL certificate yourself quickly and easily via our control panel.

  1. Log into our CONTROL PANEL.
  2. If you have more than one sub-account accessible, select the proper sub-account as the "Active Account". NOTE: If you have only one sub-account you can skip this step.
  3. In the left-hand menu column select (DOMAINS > MANAGE DOMAINS).
  4. Click on the "Certificates" link (under the "Secure Hosting" section) for the domain in question.
  5. Click on the radio button labeled "Manual configuration".
  6. Paste the new SSL certificate text into the "Certificate" box. Overwrite the exiting certificate text! NOTE: Be sure to include everything, including the "-----BEGIN CERTIFICATE-----" & "-----END CERTIFICATE-----" lines!
  7. Use the vertical scroll bars to view the entire contents of the "Certificate" box. Make sure that you have only one certificate installed. If not re-paste the proper certificate and verify again.
  8. If they also provided you with an intermediate certificate (or bundle file) you can install that yourself by pasting that into the "Intermediate Certificate" box (at the bottom of the page). Be sure to include everything, including the "-----BEGIN CERTIFICATE-----" & "-----END CERTIFICATE-----" lines, and there may be several of them so make sure to copy them ALL!
  9. Click on the "Save changes now!" button to make the change. If there are no errors the new certificate should be pushed out to the live servers within 15 minutes or so.
  10. Give the system about 15 minutes to push these changes to the live severs then you can test your site to see if everything is OK. You will need to refresh your web browser if you accessed the site before performing the update! If you don't refresh you'll probably pull up a cached version of the site before you updated the SSL certificate.

However, if you do run into any problems submit a Support Request via our control panel and ask for assistance. See this section for detailed instructions on how to do that properly.

NOTE: If you get the error message "key does not match cert" that means that the the SSL certificate you're trying to install does not match the private key that is currently installed. This typically means that the Certificate Signing Request that was used to purchase the SSL certificate was not generated with the private key that is in the panel. See the Troubleshooting section below for more information on how to resolve this problem.

NOTE: If you're not comfortable with updating the signed SSL certificate yourself (using the instructions provided above) you can submit a Support Request and ask us to install your SSL certificate for you. See this section for detailed instructions on how to do that properly. Just paste the text of the SSL certificate (and intermediate certificate if one was provided) from your Certificate Authority into your support request and we'll install it for you. There is no charge for this service!

Renewals

SSL certificates DO NOT auto-renew by default!

Certificate Authorities will send expiration/renewal reminders to the admin address about 30/60/90 days before the certificates expiration date. This is to let you know what you MUST take action to renew the SSL certificate. Our system will send SSL certificate renewals notices to the account primary contact address 35 days before the expiration date of their SSL certificate. You can then manually initiate the renewal process in our control panel at that time.

NOTE: If you decide you don't want to renew the signed SSL certificate through us just submit a Support Request asking that we cancel that service and we will cancel it and refund the charge. See this section for detailed instructions on how to do that properly. When your SSL certificate expires web browsers will get a certificate error when the site is accessed and encryption will no longer function! Visitors to your secure hosting service will get a SSL certificate error in their browsers.

NOTE: If you find that GeoTrust continues to send you unnecessary renewal notifications just let us know and we'll contact them and have them disable this.

There are two ways to renew your signed SSL certificate;

Option 1

You can renew your signed SSL certificate by purchasing a renewal from us (DreamHost SSL).

Basically it's the same procedure as purchasing a new signed SSL certificate. See the Purchasing a Signed SSL Certificate Option 1 section above for information and instructions on how to process an order via our control panel. Since you already have your secure hosting set up you can proceed to "Step 1". The system should already recognize that your current SSL certificate is going to expire soon and will process a renewal order for you. Once the order has been approved it will install your renewed SSL certificate into our control panel automatically.

If you already have a signed SSL certificate purchased from us you can renew it by following these instructions.

Option 2

Renewing your SSL cert with another Certificate Authority.

If you want to renew it with another Certificate Authority you just need to copy the Certificate Signing Request that's currently in our control panel and use it to initiate the renewal process with them. You can access your Certificate Signing Request in our control panel.

  1. Log into our CONTROL PANEL.
  2. If you have more than one sub-account accessible, select the proper sub-account as the "Active Account". NOTE: If you have only one sub-account you can skip this step.
  3. In the left-hand menu column select (DOMAINS > MANAGE DOMAINS).
  4. Click on the "Certificates" link (under the "Secure Hosting" section) for the domain in question.
  5. Click on the radio button labeled "Manual configuration".
  6. COPY all of the text from the Certificate Signing Request field. NOTE: Be sure to include everything, including the "-----BEGIN CERTIFICATE REQUEST-----" & "-----END CERTIFICATE REQUEST-----" lines!
  7. Paste the Certificate Signing Request into your Certificate Authorities control panel to purchase a signed SSL certificate from them.
  8. When prompted make sure to select server type = "Apache w/MOD_SSL".
  9. Once your Certificate Authority has provided you with your signed SSL certificate you can install it yourself via the control panel. See the instructions in this section for details How To Update Your Certificate.

NOTE: If you find that there is no Certificate Signing Request available in the control panel for that domain please see this section Regenerating a CSR (below) for instructions on how to replace it.

Regenerating A CSR

There are two ways to regenerate a CSR (Certificate Signing Request);

Option 1

We can MANUALLY create a new CSR for you using the current private key that you have in the control panel for your secure hosting configuration. You'll just need to supply us with some information to complete the process. Submit a Support Request via our control panel and ask that we recreate a CSR for you with the information you provide. See this section for detailed instructions on how to do that properly.

Please provide us with the following information;

  • Country Name (2 letter code):
  • State or Province Name (full name - no abbreviations!):
  • Locality Name (eg, city):
  • Organization Name (eg, company name):
  • Organizational Unit Name (eg, company section name):
  • Common Name (eg, SECURE DOMAIN NAME - include "www" if necessary):
  • Email Address:

Once you receive the new CSR file, you can install it via your Control Panel; click the "Certificates" link under the "Secure Hosting" section for the domain in question. Click on the radio button labeled "Manual configuration" and paste the CSR text in its entirety into the Certificate Signing Request field. Then click on the "Save changes now!" button at the bottom of the page.

You can then use this new CSR to order/renew a signed SSL certificate with another Certificate Authority if you like.

Option 2

Step 1 Go to menu option (DOMAINS > MANAGE DOMAINS) in our control panel.

Step 2 Click on that "Certificates" link under the "Secure Hosting" section for the domain in question to enter the order/renewal interface.

Step 3 Check the radio button labeled "Use a self-signed certificate" and fill in the fields as necessary. This information is used to generate the Certificate Signing Request that will be used to generate your new signed SSL certificate.

NOTE: Do NOT do this is you are already using a signed SSL certificate for this domain! If you do the system will create a NEW private key, self-signed SSL certificate and Certificate Signing Request for that domain. You will NOT be able to use the previous signed SSL certificate again for this domain as the new private key will not match the one that was originally used to generate your signed SSL certificate! Use the procedure outlined in "Option 1" (above) to regenerate the CSR for this domain.

Certificate Authorities

If you have chosen not to purchase a signed SSL certificate from us (DreamHost SSL) here is a (non-exhaustive) list of SSL Certificate Authorities;

I'd recommend checking with them to find the best price. Also note that the specifications for all SSL certificates are NOT the same. You have to compare features as well as prices to see what is the best value.

You can copy the Certificate Signing Request (CSR) from that field ion our control panel and use it to purchase your signed SSL certificate from another Certificate Authority if you have not chosen to purchase one from us. When prompted make sure to select server type = "Apache w/MOD_SSL" when purchasing your signed SSL certificate. Once your Certificate Authority has provided you with your signed SSL certificate you can install it yourself via the control panel. See the instructions in this section for details How To Update Your Certificate.

Troubleshooting

Contacting Support

If you do find a problem that you cannot resolve you can contact support for assistance. It's very important that when you submit a support request that you select the proper support "category" that reflects that you're having a problem with your "secure certificate".

Here's how to properly open a support ticket and select the correct category.

  • Log into our control panel using the WebID that owns the domain that you are having a problem with.
  • Select menu option (SUPPORT > CONTACT SUPPORT).
  • Always read any notices that may be listed at the top of the page. There could be a system-wide problem that is already being addresses that is causing the problem. If that's the case then you don't need to contact support for this issue.
  • (Step 1/5) If there is no system-wide problem that is causing this problem click on the "Website" option and click "Next".
  • (Step 1/5) Select the domain that is having a problem (if the domain in question is listed twice the "secure hosting" will be the 2nd one listed) and click "Next".
  • (Step 2/5) Review the information from the previous step, if all is correct click "Next".
  • (Step 3/5) If no results in the next step provide an explanation for the problem click "Next".
  • (Step 4/5) Click on the "Show All Categories" link and scroll down. Select the option (E-Commerce > Secure Certificate)" and click "Next".
  • (Step 5/5) In the "Subject" field enter "SSL certificate" and a very brief description of the problem (ie: "domain mismatch error").
  • In the "Message" field enter a more detailed description of the problem.
  • Update the other fields as necessary and click the "Send Message Now" button (at the bottom of the page) to complete the process.

A technical support specialist will investigate the problem and get back to you within 24 hours (usually much less than that).

Here's how to withdraw a pending support request.

If you find that you've resolved the problem yourself, it resolved on its own or for whatever other reason you no longer require support for this issue, you can withdraw your support request from the system (provided a support specialist has not already begun to investigate the problem).

  • Log into our control panel using the WebID that you used to submit the support request originally.
  • Select menu option (SUPPORT > CONTACT SUPPORT).
  • Under the "Open Tickets" section you'll see all of the current open support requests under your WebID.
  • Click on the "Withdrawal Message" link (under the "Actions" section) for the support request in question.
  • That's it, the message has been withdrawn from the system.

Using a Dreamhost Certificate on another host

If you are using Apache and Ubuntu I roughly followed the steps listed here:

http://library.linode.com/web-servers/apache/ssl-guides/using-ssl-ubuntu-9.10-karmic

However, I got certificate errors when I used Firefox. I was able to fix this by changing SSLCACertificateFile to SSLCertificateChainFile and using the intermediate certificate I found here:

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=881

Seal

For the signed SSL certificates purchased from us (through Comodo) you can use this seal graphic on your site...

(http://www.positivessl.com/images/seals/litessl_tl_trans.gif)

Just copy that graphic to your server and create a link to it on your site.

Notes

External Links