Server Certificate Question 1

[RRoswell]

Hi,

I'm getting a dedicated server set up, but when I try to login to the webmail, I'm getting a certificate error.

I think I have to buy a certificate of my own and install it in WHM - but I haven't a clue how to do this.

The main thing is: 1) I need a secure connection for my customers' webmail and 2) most importantly of all, I can't have customers seeing certificate errors when they are trying to login.

I've done a bit of searching for this on the internet, but have yet to find the info I need.

Would appreciate a shove in the right direction.

Thanks.

 

[pansophic]

If you are intending to host mulitple domains on the same server, then you will have issues as far as I know. I recall that only a single X.509 cert can be presented for a physical host, and if you have multiple domains, that cert can only be registered to one of them.

Most hosting services will provide a "self-signed" cert on the machine that will prompt the user(s) that you have a self-signed cert and do they want to continue. They can accept this cert for a single session or forever. If the latter is chosen, they will never see the prompt again.

Self-signed certs only increase the risk of a man-in-the-middle attack by a small amount, but they do increase it. A cert provided by Thawte, et. al. means that you implicitly trust any certificate that they have signed, so you don't get a prompt. Personally I'm just not that trusting.


pansophic

 

[RRoswell]

Thank you, Pansophic.

I know there's a way around this, because I know that there are thousands of boxes hosting multiple domains and I rarely if ever see that alert about the certificate.

To me, it's a very bad sign and one I don't want my customers to ever see.

I'm having a really tough time finding any meaningful information that explains how certificates work.

 

[pansophic]

What alert exactly did you see? I see the alerts with some frequency, but I run Linux and have most of my security settings turned down to prompt for anything out of the ordinary. Like even when a key changes, which I see with some regularity.

That said, I just checked my hosting service and they have the ability to generate a self-signed key for my domain. I know that it is on a shared server and that RARP will not produce a name that has my domain on it, so there must be a way to associate a new cert with a new domain. There must also be a way to ignore the RARP request when it produces a hostname other than the one that you requested.

Are you trying this on Apache or IIS? I assume that you are looking for some configuration help.

You can buy a certificate from any of the standard certificate authorities. If you open your browser's security settings, there should be a list of CAs that are automatically "trusted."

Some of the CAs in my browser's default list are:

Baltimore Cyber-Trust
Entrust
Equifax
RSA Data Security
Thawte
VeriSign

The list goes on and on. You should be able to buy a certificate from any of them. Verisign's three year certificate is $1,485. A little less than $500 per year.


pansophic

 

[RRoswell]

Thanks Pan,

It's a Linux/Apache box that I just bought and somebody else is hosting.

I'm just bone-headed when it comes to this stuff and I don't seem to be getting through to anybody. I kind of think that my problem is so simple that people aren't understanding the problem.

I have a webmail address - webmail.mydomain.com - when people try to access it, they get a certificate error.

It's worse when they're using IE7 because IE tells them not to go to the site.

So all I want to do is know how - step by step - to make that stop.

Do I buy another IP and assign it to that subdomain?
Then do I buy a certificate and assign it to that IP?
How do I install that in WHM?

Thanks for your help and your time.

 

[pansophic]

RRoswell,

Can you give the exact certificate error that you are receiving? It may just be a configuration issue with Apache, but it could be a certificate validity issue. Without knowing the exact error message, it is difficult to decide.

You should not need an additional IP address, but you will probably need a certificate that is associated with that domain.

The following instructions describe how to add a domain cert in cpanel for a specific provider (digicert). I believe that this cert only works for this specific domain as opposed to providing a generic (or fallback) cert for any domain on the computer.

http://www.digicert.com/ssl-certificate-installation-apache-cpanel.htm

pansophic

 

[RRoswell]

Pan,

This is the message in FireFox:

You have attempted to establish a connection with “

http://www.mysite.com”.

However, the security certificate presented belongs to “sls-ad888-srv2.myhost.net” (my host). It is possible, though unlikely, that someone may be trying to intercept you communication with this web site.

All I want to do is make sure that never happens again.

 

[pansophic]

OK, I believe that you may be able to eliminate this by generating your own, self-signed cert.

You should be able to generate and associate the cert with your website by going to the cpanel management page and then pressing the SSL Manager button.

Use the Certificate (CRT) button to generate the cert and the Certificate Signing Requests (CSR) to sign the cert. Then you should be your own CA and the messages should stop coming up.

I've not done this myself, but I believe that it should work.


pansophic

 

[RRoswell]

pan -

Thanks so much - I'll give it a try.