SSL
We should purchase our SSL certificate because SPDY technology works only on SSL sites. At first, we can try only with CloudFlare SSL support.
It must be 2048-bit encryption level because as of august 2014, Google announced that they would be giving a higher weight to websites secured with appropriately issued 2048-bit SSL certificates and additional weight may be added in the future.
Comodo Positive SSL is 2048 bit and can be bought for as low as $5. and Comodo Positive SSL Multi-Domain is $30 per year.
There are also a free certificates. Good analasys is found here.
- SSL Certificates from Namecheap also
- Cheap SSL Certificates from Namecheap.com
- Cheap SSL Certificates
multi-domain SSL certificates
Forget about multi-domain SSL certificates. It is only a convenience, and it’s not cheaper at all. You have to purchase a SAN (Subject Alternative Name) for every domain. And in that way - it still is NOT cheaper than single SSL’s.
Domain Validation SSL Certificates
Standard certificate where only a domain is validated (by email). Use this whenever you don’t need to sell anything on site.
EV SSL Certificates / Green address bar
These are verified by email (domain) but also by papers (identitiy).
Extended Validation Certificates
SSL on CloudFlare
CloudFlare issue 2048-bit keys by default (source).
Perfect for giving an impression to Google that the connection is secure, especially in light of the fact that use of SSL is now a ranking factor.
Best explanation of stuff like wildcard, SNI, multi-domain, SAN, etc is here here.
About SNI Technology
Server Name Indication (SNI) is an extension to the TLS computer networking protocol.
It enables us to use one IP and multiple SSL certificates. You can use normal, single domain certificates as well as any other type. Server Name Indication (SNI)
By default, in clean Plesk installations, the support for SNI is turned on (source).
If You Can Read This, You’re SNIing Why is it beneficial to have a dedicated IP address? Is it safe to use SNI SSL in production?
Validation Process
For domains validation, you will be sent an email to an administrative contact for your domain. The email will contain a unique validation code and link. Clicking the link and entering the code will prove domain control.
SSL certificate validation methods Validation Process Explained
How to install SSL certificate
Generate CSR
First you need to create a CSR (Certificate Signing Request). You can do that enywhere - lot of online tools, and even Plesk has it. I used the one from CheapSSLSecurity because we ordered certificates from them.
Generating CSR in Plesk 12 OpenSSL CSR Tool - Create Your CSR Faster
Install SSL
To have a green icon, you have to install complete chain of SSL certificates (put everyting in CA field).
In CA field don’t put root certificate as you will send unnecessary certificates in the SSL/TLS negotiation.
Installing s SSL certificate in Plesk 12 How to Install SSL certificate on Plesk
Covering both www and non-www domain?
These days, almost every SSL certificate secure both www and non-www urls. The usual ones are always chained (PositiveSSL, RapidSSL)
Comodo certificate ordered for domain.com is issued, signed and works both for domain.com and www.domain.com. And vice versa: if you order a certificate for www.domain.com, it will be issued for both www.domain.com. and domain.com.
There is also one note - not sure if it’s true. You should try this!
Comodo PositiveSSL, Geotrust QuickSSL, RapidSSL etc these are the domain validated certificates but works with www and non-www domain names. As your domain name actually a sub domain in terms of non-www url you can use any domain validated certificate for that. Please note that you need to generate CSR with www URL.
About certificate chains
If possible, the certificate chain should be shortest possible.
For example, muypotente.ch is third in chain, and on hostingtipp.ch is fourth. I’m not sure about the speed difference, but should test it.
Sources:
Interesting articles
Multi-domain does not include www domain.
Only Comodo and Thawte SSL certificates can be reissued for a different subdomain of the hostname the certificate was originally issued for. For example, ssl-certificate-host.com can be reissued for sub.ssl-certificate-host.com and vice versa. Geotrust and Symantec Certificate Authorities do not have this option available at the moment.
How do I reissue my SSL certificate?
Revoltionary!
-
Let’s Encrypt alexalouit/ISPConfig-letsencrypt
Let’s Encrypt unlike ZeroSSL, allow free use of the wildcard certification.
On Plesk: Let’s Encrypt - Plesk Extensions Let’s Encrypt with DirectAdmin or other Web Control Panels - Raymii.org
We are resellers of GoGetSSL, and this is a back-company: EnVers from Riga.
TinyCert is a perfect place to store and manage our self-signed certificates.
- COMODORSADomainValidationSecureServerCA.crt
- COMODORSAAddTrustCA.crt
- AddTrustExternalCARoot.crt
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
WooW. Read this comment! Steps to install a Comodo PositiveSSL certificate with Nginx. · GitHub
We are obviously entering era of “everything HTTPS” as SSL certificates
can now be obtained even for free, via Let’s Encrypt. So there is no
real need for http:// anymore, anywhere - ever.
There is no coming back.
Old recommendation was to use link prefix without protocol // as it is
the most flexible solution to support both HTTP and HTTPS. As there is
no need for that anymore, the new recommendation is:
Always & everywhere, use https://. If target doesn’t support it
immediately, it will very soon.
To summarize:
- Tracked pixels must be prefixed with
https://or we will have blocked content problem (mixed content, no green icon in address bar). - Links can be whatever, as always.
Certificate Expiry Monitor Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd SSL Decoder
crt.sh is certificate search site launched by Comodo in June 2015
Let’s Encrypt publishes certificate transparency logs at crt.sh. In other words, hiding sites from the public by not publishing their (sub-)domain names anywhere will not work when you issue a certificate for the domain on services like Let’s Encrypt.
You can check any site history, for example check cvladan.com
In 2022, there are other fully free SSL providers like Let’s Encrypt.
SSL For Free - Free SSL Certificates in Minutes Certificate Authorities | Certify The Web Docs
Let’s Encrypt is still the best of all on the list because of free wildcard certificates (*.domain.com) are supported when using DNS validation.
go-acme/lego is incredibly good with an exceptional selection of DNS providers.
Cerbot is one of the most popular tools for obtaining SSL certificates. However, I personally prefer not to use it due to the installation method using snap instead of apt, which I find complicated. Despite this, it does support a variety of DNS providers as detailed in the User Guide, with a particular interest in certbot-dns-cloudflare. To simplify the installation process, I have devised a shortcut: sudo apt install certbot; sudo apt install python3-pip && pip install certbot-dns-cloudflare. Although the instructions may seem straightforward, as in the tutorial on obtaining a wildcard SSL certificate from Let’s Encrypt using CloudFlare DNS provided by ServerPundits, the process is still quite intricate.
acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol je ACME Shell script: acme.sh, ali ga baš zato lako razumem a i radi svugde. Osim toga, bukvalno sa njim radi Proxmox, kroz GUI. Obrati pažnju jer je ZeroSSL default, a podržava brdo DNS API provajdera: acme.sh/dnsapi at master · acmesh-official/acme.sh odnosno dnsapi · acmesh-official/acme.sh Wiki
Ovde sam saznao da i Google ima svoj servis potpuno besplatan Google Trust Services CA · acmesh-official/acme.sh Wiki i supports multiple domains and wildcard domains.