Planning Ahead for SSL

 

You’ve read the arguments for SSL and you’ve decided an SSL certificate is right for you.  Now what?  Well, the “now what” is the purpose for this article.  Getting started with SSL requires a bit of planning before you make the first move.
 
1)    Where will you get the certificate?
2)    What kind of certificate will be used?
3)    Key length and certificate duration
4)    What Common Name will you be protecting with the certificate?
5)    The socket rule

I’ll conclude with information on ordering SSL certificates here at SoftLayer.

Where to get the certificate
SSL certificates can be obtained internally in your organization or from a Certification Authority.  The difference is one of audience.  If your audience is a captive group under your control such as employees using an Intranet site you could do a Self-Signed certificate and have each employee install it in their browser.   You could also setup a local Certification Authority of your own to generate certificates for use in your organization.

If your audience is a larger, more diverse group you most likely are not going to be able to mandate that they install your home-rolled certificate.  Without doing the installation your visitors will get a warning saying that the locally created certificate is not valid since their browser will not able to validate the signature on it.  This is where the Certificate Authorities like Verisign, RapidSSL, Thawte and so forth come into play.  Modern web browsers are configured out of the box to trust root certificates issued by the big players in SSL.  This trust point gives the browser a way to validate the signature on certificates issued by those organizations.

The remainder of this document is going to assume you’re going with a certificate from one of the major Certificate Authorities.  Further I will assume, since this is the SoftLayer KnowledgeLayer, that you will be acquiring this certificate through SoftLayer.

Kinds of certificates

The first thing to decide when preparing to order a certificate from SoftLayer is what level of SSL certificate do you need?  The Domain Validated certificates are available quickly and with a minimum of hassle.  The Organization and Extended Validation certificates require more time (2 to 3 days up to a week) while our vendor does their probing to verify that your organization exists and that the person making the request for the certificate is actually authorized to make such a request.

Key length / Certificate duration

Having decided between DV, OV and EV your next decisions are to decide the length of the keys for the certificate and the length of time the certificate will be valid.  Generally your options for key size are 1024 bit and 2048 bit.  For Extended Validation you have to use 2048 bit.  Longer is considered safer but shorter is faster.  If in doubt, I’d say 2048.  There is also the question of certificate duration.  We offer one year and two year certificates.  I tend to do my certificates in one year increments if that helps provide any guidance.

Common Name

The Common Name used in the certificate is the hostname for the website involved.  The hostname the browser is trying to reach and the Common Name of the certificate have to match or browsers will toss a warning.  If your site is web1.mydomain.com then you should make that your Common Name.  What if you also use images.mydomain.com?  Well, in that case you’re looking for either a wildcard certificate (which we do not offer) or setting up multiple certificates.  If you choose wrongly in the setting of the Common Name there are potentially steps that can be taken to amend a certificate order or to revoke and re-issue with the correct Common Name.  Those will be covered in a later article.

The socket rule
Because of the way the SSL protocol works at this time there is a limit of one certificate per socket.  A socket is an IP address and port combination, such as 1.2.3.4:443.  1.2.3.4:444 would be a different socket.  For applications like SMTP/POP3 or FTP this doesn’t particularly matter.  It matters a great deal for HTTP because HTTP has for years had the concept of virtual hosting.

Virtual hosting is the method by which you can host 20, 30, 100 websites on one IP address.  This works because modern browsers pass as part of their request a field called the host header.  This field looks like “Host: web1.mydomain.com” and tells the web server which site you’re trying to hit among all the sites configured for whichever IP address to which you connect.  In the case of HTTPS (HTTP over SSL) the web server has to select the SSL certificate to send to the client prior to seeing the host header and so for a given socket, there can be only one certificate. 

The solution is that you assign each SSL enabled website to its own socket.  You can do this by varying the IP address or varying the port.  As a general rule you are going to want to do it by varying the IP address.  If you change the port from 443/tcp then users will be required to include the port number in their URL like https://web1.mydomain.com:444 and this is going to create headaches for them and for you.  Additional IP addresses can be acquired from the SoftLayer Sales department for a small monthly fee.

Now that you’ve considered some of the necessary decisions to be made the process of ordering an SSL certificate is broken into the following steps.

1.    Generating the CSR
You generate the Certificate Signing Request by using software on the web server.  For UNIX systems you will likely use the OpenSSL package.  For Windows there is a wizard which is accessed from the Directory Security tab of the website properties in IIS Manager.  If you are using a control panel, refer to specific information for that control panel.

In the process of generating the CSR you will create a private key.  Do not lose, delete or share the private key.  It is to be kept private on the web server.  Some CSR generation utilities also give you the ability to create a passphrase for the private key.  You probably don’t want to do this unless you plan to logon to the server anytime the web server software is restarted.  Also do not apply a challenge phrase to the CSR.

2.    Order the certificate
As with other things at SoftLayer you order certificates via the Web Portal.  In the portal, go to Security > SSL Certificates to place an order.  You’ll be walked through selecting the type and duration of certificate, submitting the text of the CSR, filling out some additional details and then confirming payment.

3.    Install and test
Once the ordering and validating process is complete you receive an e-mail from the Certificate Authority which includes your certificate as well as any necessary Intermediate certificates.  The method for installation of these will depend on the software you are using but the end result should be the same.  You should, when done, be able to visit https://host.yourdomain.com and see your content while also seeing the SSL padlock that browsers use to denote an encrypted session.  If you get a warning of some kind then there will be steps that need to be taken.  Support and future KnowledgeLayer articles will be able to help with this.