SSL

We should purchase our SSL certificate because SPDY technology works only on SSL sites. At first, we can try only with CloudFlare SSL support.

It must be 2048-bit encryption level because as of august 2014, Google announced that they would be giving a higher weight to websites secured with appropriately issued 2048-bit SSL certificates and additional weight may be added in the future.

Comodo Positive SSL is 2048 bit and can be bought for as low as $5. and Comodo Positive SSL Multi-Domain is $30 per year.

There are also a free certificates. Good analasys is found here.

• SSL Certificates from Namecheap also
• Cheap SSL Certificates from Namecheap.com
• Cheap SSL Certificates

multi-domain SSL certificates

Forget about multi-domain SSL certificates. It is only a convenience, and it’s not cheaper at all. You have to purchase a SAN (Subject Alternative Name) for every domain. And in that way - it still is NOT cheaper than single SSL’s.

Domain Validation SSL Certificates

Standard certificate where only a domain is validated (by email). Use this whenever you don’t need to sell anything on site.

EV SSL Certificates / Green address bar

These are verified by email (domain) but also by papers (identitiy).

Extended Validation Certificates

SSL on CloudFlare

CloudFlare issue 2048-bit keys by default (source).

Perfect for giving an impression to Google that the connection is secure, especially in light of the fact that use of SSL is now a ranking factor.

Best explanation of stuff like wildcard, SNI, multi-domain, SAN, etc is here here.

About SNI Technology

Server Name Indication (SNI) is an extension to the TLS computer networking protocol.

It enables us to use one IP and multiple SSL certificates. You can use normal, single domain certificates as well as any other type. Server Name Indication (SNI)

By default, in clean Plesk installations, the support for SNI is turned on (source).

If You Can Read This, You’re SNIing Why is it beneficial to have a dedicated IP address? Is it safe to use SNI SSL in production?

Validation Process

For domains validation, you will be sent an email to an administrative contact for your domain. The email will contain a unique validation code and link. Clicking the link and entering the code will prove domain control.

SSL certificate validation methods Validation Process Explained

How to install SSL certificate

Generate CSR

First you need to create a CSR (Certificate Signing Request). You can do that enywhere - lot of online tools, and even Plesk has it. I used the one from CheapSSLSecurity because we ordered certificates from them.

Generating CSR in Plesk 12 OpenSSL CSR Tool - Create Your CSR Faster

Install SSL

To have a green icon, you have to install complete chain of SSL certificates (put everyting in CA field).

In CA field don’t put root certificate as you will send unnecessary certificates in the SSL/TLS negotiation.

Installing s SSL certificate in Plesk 12 How to Install SSL certificate on Plesk

Covering both www and non-www domain?

These days, almost every SSL certificate secure both www and non-www urls. The usual ones are always chained (PositiveSSL, RapidSSL)

Comodo certificate ordered for domain.com is issued, signed and works both for domain.com and www.domain.com. And vice versa: if you order a certificate for www.domain.com, it will be issued for both www.domain.com. and domain.com.

There is also one note - not sure if it’s true. You should try this!

Comodo PositiveSSL, Geotrust QuickSSL, RapidSSL etc these are the domain validated certificates but works with www and non-www domain names. As your domain name actually a sub domain in terms of non-www url you can use any domain validated certificate for that. Please note that you need to generate CSR with www URL.

About certificate chains

If possible, the certificate chain should be shortest possible.

For example, muypotente.ch is third in chain, and on hostingtipp.ch is fourth. I’m not sure about the speed difference, but should test it.

Sources:

• What is the SSL Certificate Chain?
• How do SSL chains work?

Interesting articles

• Namecheap.com SSL Knowledgebase

Multi-domain does not include www domain.

Only Comodo and Thawte SSL certificates can be reissued for a different subdomain of the hostname the certificate was originally issued for. For example, ssl-certificate-host.com can be reissued for sub.ssl-certificate-host.com and vice versa. Geotrust and Symantec Certificate Authorities do not have this option available at the moment.

How do I reissue my SSL certificate?

Revoltionary!

• Let’s Encrypt alexalouit/ISPConfig-letsencrypt

  On Plesk: Let’s Encrypt - Plesk Extensions Let’s Encrypt with DirectAdmin or other Web Control Panels - Raymii.org

• WoSign: Free 2y multi-domain SSL certificate (SAN/UCC)

We are resellers of GoGetSSL, and this is a back-company: EnVers from Riga.

Consumers Don’t Know Much About Security, But They Trust the Padlock and Green Bar When Shopping Online

TinyCert is a perfect place to store and manage our self-signed certificates.

1. COMODORSADomainValidationSecureServerCA.crt
2. COMODORSAAddTrustCA.crt
3. AddTrustExternalCARoot.crt

cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

WooW. Read this comment! Steps to install a Comodo PositiveSSL certificate with Nginx. · GitHub

We are obviously entering era of “everything HTTPS” as SSL certificates can now be obtained even for free, via Let’s Encrypt. So there is no real need for http:// anymore, anywhere - ever.

There is no coming back.

Old recommendation was to use link prefix without protocol // as it is the most flexible solution to support both HTTP and HTTPS. As there is no need for that anymore, the new recommendation is:

Always & everywhere, use https://. If target doesn’t support it immediately, it will very soon.

To summarize:

• Tracked pixels must be prefixed with https:// or we will have blocked content problem (mixed content, no green icon in address bar).
• Links can be whatever, as always.

Certificate Expiry Monitor Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd SSL Decoder

crt.sh is certificate search site launched by Comodo in June 2015

Let’s Encrypt publishes certificate transparency logs at crt.sh. In other words, hiding sites from the public by not publishing their (sub-)domain names anywhere will not work when you issue a certificate for the domain on services like Let’s Encrypt.

You can check any site history, for example check cvladan.com