SSL Certificates

Forums › IT Pro and developers › SSL Certificates

MurrayM

2455 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#236204 23-May-2018 11:36

I'm pretty new to SSL certs and have been trying to get my head around all the various types and ins and outs. The website I want to put the cert on doesn't do any ecommerce, it's a static brochure site, and the only reason I want to add a cert is so users don't freak out when Chrome starts displaying warnings in July that the site is insecure.

I think what I need is a DV (Domain Validated) cert. I've decided on Comodo as a supplier, and looking through their various offerings I thought their Positive SSL Certificate looked like it would do what I wanted. The list of features is:

Domain validated, 2048 bit Industry Standard SSL Certificate
Immediate "No Hassle" SSL certificate issuance 24/7
Unlimited server licenses
Automated validation - no paperwork
Risk free 30 day refund policy
FREE site seal
Unlimited Re-issuance Policy
Trusted by all popular browsers with 99.9% Ubiquity
$10,000 Relying Party Warranty
Single Domain Name (FQDN) domain.com and www.domain.com
256 bit Encryption

I have a few questions that maybe someone can answer:

What does "Unlimited server licenses" mean?

What does "Unlimited re-issuance policy" mean?

Also, after creating an account on their website and then trying to buy the cert, the website said that this particular cert wasn't mobile-friendly. What makes a cert mobile-friendly/un-friendly?

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2021058 23-May-2018 11:46

You need a single domain certificate (if it supports both www and non-www subdomains).

You can get free certificates from https://letsencrypt.org/ - these have to be renewed every three months.

You can get free certificates from Cloudflare for your origin server and automatically use their free SSL front-end. These last for years.

You have to be sure you redirect the domain to the one you want to be your permanent address (www or non-www). You might want to use HSTS headers, security policies and set secure cookies, to fully use encryption.

[EDIT] Removed one sentence with incorrect information.

stinger

628 posts

Ultimate Geek
Inactive user

#2021066 23-May-2018 11:49

> What does "Unlimited server licenses" mean?

Means you can use the certificate on as many servers that you want too.

> What does "Unlimited re-issuance policy" mean?

If you loss your private key (and therefore your ability to use SSL), you can submit a new CSR to them, and they will generate a new certificate.

> What makes a cert mobile-friendly/un-friendly?

Someone may correct me if I am wrong, but all certificates are devices agnostic. The only thing I can think of is that a device might not support older protocols (eg. SSLv2 SSLv3). These are both now insecure.

Before you fork of your coins, have a look at Lets Encrypt. They issue SSL certificates for free, and are now the most used certificates for .nz domain names (source: InternetNZ). And using Certbot means the process is fully automated and hassle free (assuming your site is publicly available from the Internet).

kyhwana2

2566 posts

Uber Geek

#2021070 23-May-2018 11:56

You havn't mentioned how this is hosted, but any decent web host should offer a one click button to deploy Lets Encrypt certs and automatically renew them. (All for free!)

If you're running the site yourself, you can deploy Lets Encrypt Certbot to get a free EV cert and automatically update it. (For free)

For setting up HTTPS properly, Mozilla has a guide: https://wiki.mozilla.org/Security/Server_Side_TLS and you can test this with https://www.ssllabs.com/ssltest/

See https://certbot.eff.org/

All the "features" listed by Comodo are pretty meaningless.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2021072 23-May-2018 11:56

I personally use Digicert for my routers and test certificates. Great service.

Disclaimer: I get them free as a bonus being a Microsoft Reconnect MVP but don't get paid for publicity. Geekzone used Comodo certificates before until we moved all certificates to Cloudflare-issued ones.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#2021090 23-May-2018 12:24

Use Let's Encrypt. I have a cron job that renews all my certificates as required. I also have CloudFlare in front of the sites, which does https for you.

stinger

628 posts

Ultimate Geek
Inactive user

#2021095 23-May-2018 12:30

timmmay:

Use Let's Encrypt. I have a cron job that renews all my certificates as required. I also have CloudFlare in front of the sites, which does https for you.

Out of interest, how do you manage that? When I tried, it didn't work, as ACME tried to validate the certificate with the http-01 method, and it didn't work as Cloudflare handled the traffic. Or do you use dns-01 for the ACME challenge?

Having said that, it seems kinda pointless to have an Lets Encrypt certificate for Cloudflare enabled sites anyway, since Cloudflare can issue you a certificate for your site anyway that lasts for a long time.

MurrayM

2455 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2021131 23-May-2018 13:15

stinger:

> What does "Unlimited server licenses" mean?

Means you can use the certificate on as many servers that you want too.

So I guess this means that some certs are limited to just one server?

> What does "Unlimited re-issuance policy" mean?

If you loss your private key (and therefore your ability to use SSL), you can submit a new CSR to them, and they will generate a new certificate.

That makes sense.

> What makes a cert mobile-friendly/un-friendly?

Someone may correct me if I am wrong, but all certificates are devices agnostic. The only thing I can think of is that a device might not support older protocols (eg. SSLv2 SSLv3). These are both now insecure.

So that means that the cert/encryption might not work on some older mobile devices? That's not a problem for us as we aren't really worried about the encryption as this isn't an e-commerce site; we just want to avoid the warnings that Chrome is going to start showing in July and also show to Google-bot that the site is secure.

Before you fork of your coins, have a look at Lets Encrypt. They issue SSL certificates for free, and are now the most used certificates for .nz domain names (source: InternetNZ). And using Certbot means the process is fully automated and hassle free (assuming your site is publicly available from the Internet).

There's actually a bunch of background info that I didn't mention in my initial message because I didn't want things to get side-tracked and off-topic. The hosting is.. complicated. It's custom built, there's no C-Panel or anything like that, it runs a custom built CMS that integrates with other internal systems. We looked at Lets Encrypt but to get it working on our platform we would need some custom programming done and while it could be done we decided this wasn't cost-effective.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

stinger

628 posts

Ultimate Geek
Inactive user

#2021144 23-May-2018 13:32

MurrayM:

So I guess this means that some certs are limited to just one server?

No. That's just marketing BS.

MurrayM:

There's actually a bunch of background info that I didn't mention in my initial message because I didn't want things to get side-tracked and off-topic. The hosting is.. complicated. It's custom built, there's no C-Panel or anything like that, it runs a custom built CMS that integrates with other internal systems. We looked at Lets Encrypt but to get it working on our platform we would need some custom programming done and while it could be done we decided this wasn't cost-effective.

That's not true. The certificate that Lets Encrypt use is the same as the one you get from any other SSL provider. I assume you are still using Apache or Nginx for a web server. The SSL certificate is used at this level, not within your application. And the certbot tool automates everything for you. Just run it, and it will generate the certificates and even add the necessary config for the web server. If you need custom programming for LE, then you are going to need it for any SSL certificate you use.

As others have mentioned, another alternative is to use Cloudflare to manage the SSL for you. The connection between Cloudflare and your server won't be encrypted (on the free plan), but if you are only serving a brochure, then that's not an issue for you.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2021192 23-May-2018 15:15

MurrayM:

So I guess this means that some certs are limited to just one server?

If you have the private key and the public key then you can install on any server.

You protect your private key like anything else that should never be made public.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#2021209 23-May-2018 15:55

stinger:

timmmay:

Use Let's Encrypt. I have a cron job that renews all my certificates as required. I also have CloudFlare in front of the sites, which does https for you.

Out of interest, how do you manage that? When I tried, it didn't work, as ACME tried to validate the certificate with the http-01 method, and it didn't work as Cloudflare handled the traffic. Or do you use dns-01 for the ACME challenge?

Having said that, it seems kinda pointless to have an Lets Encrypt certificate for Cloudflare enabled sites anyway, since Cloudflare can issue you a certificate for your site anyway that lasts for a long time.

I use Acmetool as the software, Nginx serves the validation file over http. I could give you more detail including full config when I have time to look at it.