We should purchase our SSL certificate because SPDY technology works only on SSL sites. At first, we can try only with CloudFlare SSL support.
It must be 2048-bit encryption level because as of august 2014, Google announced that they would be giving a higher weight to websites secured with appropriately issued 2048-bit SSL certificates and additional weight may be added in the future.
Comodo Positive SSL is 2048 bit and can be bought for as low as $5. and Comodo Positive SSL Multi-Domain is $30 per year.
There are also a free certificates. Good analasys is found here.
- SSL Certificates from Namecheap also
- Cheap SSL Certificates from Namecheap.com
- Cheap SSL Certificates
multi-domain SSL certificates
Forget about multi-domain SSL certificates. It is only a convenience, and it’s not cheaper at all. You have to purchase a SAN (Subject Alternative Name) for every domain. And in that way - it still is NOT cheaper than single SSL’s.
Domain Validation SSL Certificates
Standard certificate where only a domain is validated (by email). Use this whenever you don’t need to sell anything on site.
EV SSL Certificates / Green address bar
These are verified by email (domain) but also by papers (identitiy).
SSL on CloudFlare
CloudFlare issue 2048-bit keys by default (source).
Perfect for giving an impression to Google that the connection is secure, especially in light of the fact that use of SSL is now a ranking factor.
Best explanation of stuff like wildcard, SNI, multi-domain, SAN, etc is here here.
About SNI Technology
Server Name Indication (SNI) is an extension to the TLS computer networking protocol.
It enables us to use one IP and multiple SSL certificates. You can use normal, single domain certificates as well as any other type. Server Name Indication (SNI)
By default, in clean Plesk installations, the support for SNI is turned on (source).
For domains validation, you will be sent an email to an administrative contact for your domain. The email will contain a unique validation code and link. Clicking the link and entering the code will prove domain control.
How to install SSL certificate
First you need to create a CSR (Certificate Signing Request). You can do that enywhere - lot of online tools, and even Plesk has it. I used the one from CheapSSLSecurity because we ordered certificates from them.
To have a green icon, you have to install complete chain of SSL certificates (put everyting in CA field).
In CA field don’t put root certificate as you will send unnecessary certificates in the SSL/TLS negotiation.
Covering both www and non-www domain?
These days, almost every SSL certificate secure both www and non-www urls. The usual ones are always chained (PositiveSSL, RapidSSL)
Comodo certificate ordered for domain.com is issued, signed and works both for domain.com and www.domain.com. And vice versa: if you order a certificate for www.domain.com, it will be issued for both www.domain.com. and domain.com.
There is also one note - not sure if it’s true. You should try this!
Comodo PositiveSSL, Geotrust QuickSSL, RapidSSL etc these are the domain validated certificates but works with www and non-www domain names. As your domain name actually a sub domain in terms of non-www url you can use any domain validated certificate for that. Please note that you need to generate CSR with www URL.
About certificate chains
If possible, the certificate chain should be shortest possible.
For example, muypotente.ch is third in chain, and on hostingtipp.ch is fourth. I’m not sure about the speed difference, but should test it.
Multi-domain does not include www domain.
Only Comodo and Thawte SSL certificates can be reissued for a different subdomain of the hostname the certificate was originally issued for. For example, ssl-certificate-host.com can be reissued for sub.ssl-certificate-host.com and vice versa. Geotrust and Symantec Certificate Authorities do not have this option available at the moment.
TinyCert is a perfect place to store and manage our self-signed certificates.
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
WooW. Read this comment! Steps to install a Comodo PositiveSSL certificate with Nginx. · GitHub
We are obviously entering era of “everything HTTPS” as SSL certificates
can now be obtained even for free, via Let’s Encrypt. So there is no
real need for
http:// anymore, anywhere - ever.
There is no coming back.
Old recommendation was to use link prefix without protocol
// as it is
the most flexible solution to support both HTTP and HTTPS. As there is
no need for that anymore, the new recommendation is:
Always & everywhere, use
https://. If target doesn’t support it
immediately, it will very soon.
- Tracked pixels must be prefixed with
https://or we will have blocked content problem (mixed content, no green icon in address bar).
- Links can be whatever, as always.
Let’s Encrypt publishes certificate transparency logs at crt.sh. In other words, hiding sites from the public by not publishing their (sub-)domain names anywhere will not work when you issue a certificate for the domain on services like Let’s Encrypt.
You can check any site history, for example check cvladan.com