Hosting and SSL: What to Begin With
A web server may use SSL in order to attain cryptographic protection of information which might be useful when working with confidential personal data of visitors on a website (e.g. credit card numbers, personal passport information etc.). Firstly, a visitor must be sure that the data he or she sends will not be intercepted. Secondly, the SSL certificate confirms that the user sends their data to the server indicated in the browser address bar. SSL settings and possibilities to use it are directly connected with the functionality of the website’s hosting.
So, you want your website to support cryptographically secure connections with a client’s browser. Your first step would be to reach your hosting provider and find out whether they can offer hosting tariffs with the support of the SSL. Usually not every tariff supports it because SSL functioning requires additional resources from a web host. What is more, some web hosting providers do not provide the SSL option at all. In order to launch it a hosting provider has to allocate a special IP address to each site. This option may either be part of the standard tariff package, or it also may be acquired for an additional pay. A website with SSL carries out data exchange with the help of the HTTPS protocol. That is why a web server should be set in such a way so that it can use HTTPS. A web host may provide such a setting upon a client’s request. Besides, make sure that a hosting provider supports installment of clients’ SSL certificates.
After you have solved all the hosting problems, you need to think about the SSL certificate. This certificate is necessary in order for a user’s browser to verify your website’s authenticity. SSL certificates are issued by certifying centers. Actually, a web host may play the role of such a center. In this case your website will be using a certificate issued by your hosting provider. Such a service is very convenient but there is a serious restriction to it: most probably your web host is not a “commonly-acknowledged” certifying center. Therefore, visitors of your website are going to receive warning messages from the browser security system reading that the organization which has issued the certificate is not “trustworthy”.
The thing is that the browser’s list of certifying centers doesn’t contain all the centers possible but only certain “authorized” ones. If you don’t want to receive this kind of messages you may ask the user to add the center which has issued the certificate to the list of the authorized ones (usually browsers allow users to do this). Or you can get the certificate from one of the “standard” authorized organizations. Among these the most well-known one is VeriSign (or Thawte — a company belonging to VeriSign). Other popular certifying centers are COMODO, IdenTrust, Network Solutions.
In order to receive a certificate you need to apply either directly to one of the certifying centers or to an authorized representative of such a center. Before getting an SSL certificate you should choose the certificate type which best meets your requirements. SSL certificates differ, for example, in cryptographic stableness of the protocols they use and in the mechanisms of checking authenticity. The procedure of obtaining an SSL certificate consists of several steps. First of all, you need to prepare the so-called Certificate Signing Request (CSR) — it’s a message containing: 1) an open key (from the generated pair “open key – secret key”), which will be part of the certificate and will be given to the visitors of your website, and 2) the information about the website’s owner. The CSR information is necessary for forming the certificate. You may generate the CSR independently if you enjoy enough rights as to manage the hosting service and if you possess the information about the technical parameters. Otherwise you can do it with the help of the web host’s support service. The CSR format should correspond to the standards used by a certifying center. Beside technical parameters and the website’s address you are to provide the information about the certificate’s owner. (Bear in mind that you should keep the secret key connected with the CSR absolutely secret and should not tell it to anybody.)
The prepared CSR message is sent off to the certifying center. The center verifies the information presented. The verification procedure may take up several days. After the successful verification the center issues an SSL certificate.
The certificate is electronic: it’s a set of symbols generated in accordance with the data formats common for the technology system connected with the SSL. The certificate certifies the domain name corresponding with the website, i.e. confirms that the open key presented by the website’s owner corresponds to the domain a visitor sees in the browser address bar. That is why a new certificate is needed for each new website (or, to be exact, for each domain name). After you get the certificate information, you need to place it on hosting. A hosting provider should provide means for installing clients’ certificates. Usually the certificate installment is managed through the hosting control panel.
Now the browser of your website’s client will be able to verify the site’s authenticity in the certifying center which has issued the certificate. This verification is carried out automatically while getting the SSL connection. The browser is using the presented certificate checking it with the help of its own database of certifying centers.
A detailed list of certifying centers may be found in the Open Directory Catalogue.