The SSL protocol provides confidential data exchange between the client and the server. The data is encrypted using the public key. There are two such keys, and each of them can be used both to encrypt a message and to decrypt it. Thus, if one key is used for encryption, then, accordingly, another key will be used for decryption. In such a situation, it is possible to receive secure messages by publishing the public key and keeping the secret key secret.
When opening a page on a site that has the SSL certificate installed, the browser requests identification information from the web server. The server then sends a copy of its SSL certificate to the browser. The browser authenticates the SSL certificate and informs the server about it. In response, the server sends a virtually signed agreement allowing encrypted data transfer. From this point on, the SSL certificate begins to encrypt any data that comes from the client's computer to your server. At the same time, the usual link in the browser (http://www.mydomain.by) turns into https, where "s" means secure.
Depending on the type, the SSL certificate can only work for a single domain name (host) or, if it is an SSL certificate with subdomains, for a domain and its subdomains (mail.mydomain.by, billing.mydomain.by, etc.). Certificates also differ in the information that they can confirm - some certificates only confirm the authenticity of a domain, while others can confirm both the authenticity of a domain name and the existence of a company in principle
In 2014, Google announced that the presence of an HTTPS connection on a site using an SSL certificate affects the position in Google search results. Initially, it was assumed that the weight of this parameter would be minimal and affect only 1% of search queries worldwide. However, in order to motivate website owners to use secure data transmission, the influence of this factor will gradually increase.
The main recommendations and provisions of Google on this issue are as follows:
- all site content must be served via https;
- the certificate key must be at least 2048 bits long;
- it is necessary to allow page indexing via HTTPS;
- it is desirable to avoid the noindex meta tag on pages accessible via HTTPS (if there is a copy of the page on HTTP);
- relative URLs are recommended for content hosted on the same domain;
- all types of certificates are allowed: for a single domain, multi-domain, wildcard certificates.
Since December 2015, Google has started indexing HTTPS pages by default if it is available at the same time as HTTP and is not blocked in any way.
In the summer of 2016, a Google representative at a meeting with webmasters said that the company is seriously considering the possibility of increasing the weight of an SSL certificate as a ranking factor in a search engine. Therefore, sites without an SSL certificate will inevitably lose positions when issuing search results in the most popular search engine in the world.
From 2018, some browsers such as Chrome and Firefox will mark all sites without an SSL certificate as insecure.
Although many users now prefer self-signed certificates to paid ones, such savings are often unjustified. Instead of gaining the trust of customers, site owners with such a certificate only scare them away with error messages that are caused by the browser not being able to determine this certificate as genuine, because the certificate authority is not specified and / or unknown to the browser.
If a site uses a self-signed certificate, site visitors will see a login error. Many of them will prefer to close the window than to understand the authenticity of the site and the company.
The issuance of Standard Certificates (DV) by a CA usually takes no more than fifteen minutes.
The issuance of Verified Organization (OV) certificates takes 1 to 3 business days, as the CA needs to verify not only ownership of the domain, but also the existence of an organization or business.
When issuing Extended Validation (EV) certificates, a rigorous review process begins with a detailed claim. First, collect the necessary information about the enterprise. Verification of such information may take 3 to 7 business days.
Please note that we do not directly issue a certificate and are not responsible for the correctness of the data provided by you to the Certification Authority, therefore, the periods specified above may increase due to reasons beyond our control.
If you specified domain.com when generating a simple certificate, www.domain.com (for Comodo certificates) will also be protected by default. Please note that the option to protect both versions of a domain applies ONLY to second-level domains.
Unlike domain validated certificates, multi-domain certificates protect only those domains and subdomains that are specified when the certificate was generated.
If, when generating a multi-domain certificate, you specify:
www.domain.com
example.us
myworld.domain.net
That
domain.com
www.example.us
www.myworld.domain.net
will NOT be protected.
Be careful if you need to secure both domain.com and www.domain.com with multi-domain certificates, specify both options.
Unfortunately, once the certificate has been generated, it is not possible to change the main domain.
A certificate authority or certification authority is a company that provides SSL certificates. The peculiarity of these centers is that they issue certificates that are officially recognized all over the world and are always recognized by users' web browsers. At one time, their creation allowed the adoption of a generally accepted standard for SSL certificates, as well as the development of other types of certificates (SSL for several domains, SSL for software, etc.).
When visiting a site protected by products of a well-known certification authority, the visitor feels much more confident and has no doubts about the security of his data. In addition, each certificate from the center is backed by a guarantee, which is monetary compensation in case it is hacked.
CSR (Certificate Signing Request) — request for a certificate. This is a file that contains a small piece of encrypted data about your domain and the company for which the certificate is issued. This file also contains your public key.
We will independently generate a request for you based on your registration data. The CSR key itself, as well as the Private Key required for the further installation of the certificate, will be sent to your e-mail, which you specified during registration
Certificates for a single domain - the simplest and most affordable certificate. Protects only one domain (for example: mydomain.by) on the server.
Such a certificate, as a rule, allows you to simultaneously protect a domain with or without www. Can be of all types (DV, OV, EV), i.e. it can be used by both individuals and legal entities. A single-domain certificate is used for absolutely all types of sites: from a simple business card site or landing page to a large portal or bank site.
Also called Wildcard certificates. This is a universal SSL certificate that allows you to direct several hosts from one domain name to one server at once. This eliminates the need to purchase individual SSL certificates for each of your subdomains. That is why Wildcard SSL is an ideal solution for websites of large organizations and commercial Internet projects.
Wildcard certificates are intended for installation, except for the main domain, and on subdomains of the site. Those. if you protect mydomain.by, then all your subdomains will be protected, for example:
- mail.mydomain.by
- shop.mydomain.by
- support.mydomain.by
- dev.mydomain.by
etc.
A Multi-Domain Certificate (MDC) is an SSL certificate that supports securing multiple different domains with a single certificate.
For example, one multi-domain certificate can protect:
- domain.by
- example.me
- пример.бел
- domain.com
These certificates are also called SAN (Subject Alternative Name) or UCC (Unified Communications Certificate).
The main difference between this type of certificates is that SAN certificates allow you to protect one primary and several additional domains at the same time.
Certificate with domain validation (DV-certificates - from English Domain Validation). For their release, the most basic level of SSL validation is used. The CA simply verifies that you are the owner of a particular domain.
Of course, such a certificate allows you to provide strong data encryption on your site, but it does not verify the fact that you are the owner of a legitimate business. This is a very suitable, and most importantly, very fast solution for securing your site using HTTPS. Users, seeing the lock in the address bar of the browser, will trust your site many times more than before, because for them such a sign is a trust factor.
Such a certificate is suitable for simple websites, blogs, forums, small online stores.
Organization Validation certificates (OV-certificates - from the English Organization Validation) are intended for companies and organizations. In particular, they are useful for conducting e-commerce, online sales. Such certificates are required for sites where users enter sensitive information (credit card numbers, contact details, etc.).
The OV-certificate certifies the owner of the site and contains the name of the company. The validation process for such certificates is longer and more in-depth. The certification authority verifies not only the fact that you are the owner of the domain, but also the fact that you are the owner of a real-life company. The company must be present on the website of the state registration authority and in the trusted Internet directory (for example, dnb.com). Fraudsters will not be able to obtain such a certificate, since they will not be able to pass validation.
Such a certificate is suitable for large online stores, corporate sites, Internet portals.
Extended Validation Certificate (EV-certificates from English Extended Validation) are intended for large companies and organizations, as well as organizations seeking to gain the trust of their users as much as possible. Such a certificate provides a higher level of reliability and security guarantees than standard certificates, thus proving that the site is not one of the fraudulent or fake sites. Customers of these certificates are authenticated according to the highest security industry standards.
When a visitor opens a website protected by an EV certificate, the address bar turns green and your organization's name is displayed in the browser interface. Since the process of issuing an EV certificate retains the expected transparency, not only do users feel more secure about their information, but companies can also have peace of mind that the data exchange process is secure. The hierarchical model of extended EV verification helps provide users with visual confirmation of the seriousness of the company, which increases the overall level of trust and confidence.
Such a certificate is suitable for a bank, a large Internet portal, a large online store, a financial institution.
High-security SSL certificates should be used whenever strong authentication, visible indication of trust, and strong encryption are required. Such certificates should be used by public websites of large companies, which are often the target of phishing attacks. For example, sites of large brands, banks and financial institutions.
Any websites that collect data, work with logins and online payments can increase the trust of their users by using high class SSL certificates.
With high-security SSL certificates and by applying a standardized level of trust, lesser-known brands can compete with established brands that have a long presence on the Internet.
1. Confirmation via email (used by default).
With this option, an email containing a unique code and a confirmation link will be sent to the email of the domain's administrative contact. When you receive a letter, you must follow the link indicated in it and enter the code. The following is a list of possible administrative email addresses that can be used to verify domain ownership:
- admin@your domain name
- administrator@your domain name
- postmaster@your domain name
- hostmaster@your domain name
- webmaster@your domain name
2. Verification via CNAME record.
When choosing this method, the CSR request that was used by the client when configuring the certificate is hashed at the Certification Authority in MD5 and SHA1 format. The generated hash is passed to the client. After that, it must be specified in the CNAME record, as shown in the example:
_c7fbc2039e400c8ef74129ec7db1842c.example.com CNAME
c9c863405fe7675a3988b97664ea6baf.442019e4e52fa335f406f7c5f26cf14f.comodoca.com
Example.com will be replaced by the domain name for which the certificate is being purchased.
3. Confirmation via HTTP.
The CA hashes the CSR in MD5 and SHA1 formats and sends them to the client. The resulting hash must be placed as follows:
Create a txt document and upload it to the root folder of the domain for which the certificate is ordered. You may need to create several (.well-known/pki-validation) subfolders to match the file path to the requirements of the CA
(example: http://your domain name/.well-known/pki-validation/A1B2C3F4G5H6J7K8L9Q1W2E3R4T5Y69.txt).
After checking this file by the robot, the Certification Authority will send you the certificate files by e-mail. Next, you will need to install the certificate yourself.
4. HTTPS-valication
The client can pass such validation if he has a forced site redirect to https.
When checking a company's WHOIS, the registrant information must reflect the name of the company. If the owner of the domain name in WHOIS is an individual or another company, this must be corrected BEFORE applying for an SSL certificate.
The validation process consists of the following steps:
1. Validation of the domain itself.
To validate a domain, the email must be MANDATORY set up on the domain for which you issue the certificate (for example, if your domain name is mydomain.by, then the mail must be of the form: admin@mydomain.by, administrator@mydomain.by , hostmaster@mydomain.by, postmaster@mydomain.by or webmaster@mydomain.by).
2. Verification of company documents by the Certification Authority.
First of all, the Certification Authority will check the organization's data that is in the public domain, therefore, check the presence of information about the company in the register of enterprises (example).
If your company is registered in international services and has a DUNS number, then this can significantly speed up the process of issuing a certificate. Perhaps, in order to obtain an SSL certificate, you will need copies of the “Certificate of State Registration” and other evidence of the existence of your company (for example: Certificate of entry into the unified state register of enterprises and organizations; Certificate of registration with tax authorities, etc.) which, as a rule, will have to be notarized. Additional references may be requested as needed. In this case, you will need to provide them as well.
3. Phone number verification for company validation.
The certification authority can use both the number specified in the application and the number that is publicly available from public directories (example). Please note that the number in the application must be specified ONLY landline telephone.
When checking a company's WHOIS, the registrant information must reflect the name of the company. If the owner of the domain name in WHOIS is an individual or another company, this must be corrected BEFORE applying for an SSL certificate.
The validation process consists of the following steps:
1. Validation of the domain itself.
To validate a domain, the email MUST be set up on the domain for which you are issuing the certificate (for example, if your domain name is mydomain.by, then the mail should be of the form: admin@mydomain.by, administrator@mydomain.by, hostmaster@mydomain.by, postmaster@mydomain.by or webmaster@mydomain.by). If you don't know how to set up mail on a domain, use mail.ru service (it's quick , convenient and free).
2. Verification of company documents by the Certification Authority.
First of all, the Certification Authority will check the data of the organization that is in the public domain, so check the presence of information about the company in the register of enterprises (example).
Your company will be checked for a DUNS number, if you do not have one, then you will need to prepare copies of the following documents (in PDF format) (the list is approximate, the requirements of the CA may change):
− Certificate of state registration;
− Certificate of entry into the Unified State Register of Enterprises and Organizations;
− Extract from the Unified State Register of Enterprises and Organizations;
− Certificate of registration with the tax authorities;
− The registration data of the domain must indicate the organization purchasing the certificate;
− Confirmation of the relationship of the employee responsible for obtaining the certificate to the organization that is being tested;
− Receipt for telephone, utilities;
− Availability of supporting information with the data of the organization in open sources;
− Additional references may be requested as needed. In this case, you will need to provide them as well.
Documents requested by the Certification Center will have to be notarized.
You can check the presence of your organization in the international directory at link
3. You will need to fill out and send the completed applications to the Certification Center Certificate Request Form, EV SSL Subscriber Agreement.
4. Phone number verification for company validation.
The certification authority can use both the number specified in the application and the number that is publicly available from public directories (example). Please note that the number in the application must be specified ONLY landline telephone.
DUNS (the company itself writes D-U-N-S, Digital Universal Numbering System) is a digital identification system for business entities developed by Dun & Bradstreet in 1963 for the purpose of credit monitoring and is widely used in practice throughout the world. Each subject is assigned a unique nine-digit numeric code, and a separate legal entity does not necessarily act as a subject. The number can be assigned both to a group of legal entities and to a division of a large company, if it is geographically isolated.
To make the process of issuing an OV/EV SSL certificate as fast as possible, it is recommended to register a company in the international database D&B (Dun & Bradstreet). It is an open catalog containing information, sorted by type of activity, about all organizations whose existence is officially confirmed.
Having a DUNS number is just a recommendation, not an official requirement. It does not give a 100% guarantee of issuing an SSL certificate, but it can significantly reduce the time frame required to verify an organization. Pay attention to the fact that the contact details of the company contained in all sources must fully match the official documentation.
Check if the site contains program code, widgets, illustrations that are downloaded from third-party sites. All data must be loaded only from your site (you can check it using the services: Xenu's Link, Netpeak Spider, Screaming Frog). Otherwise, after installing the certificate, the error “Mixed content” will appear (content loaded from third-party sites not confirmed by the certificate being installed). The exception is the trusted domains Google Analytics, Yandex Metrika, Vkontakte, Facebook.
• Make all internal and external links relative.
For example: change absolute internal links like href="http://www.mydomain.by/page/" to relative, i.e. omit protocol and domain: href="/page/" for internal links and href="//www .youtube.com/12345" for external. Thus, it is possible to ensure the correct operation of the site using both the http and https protocols.
• After installing the certificate, be sure to check the correctness of its installation using the service: ssltest и работу сайта по http- и https-protocols.
• Generate a sitemap.xml sitemap with page addresses available via the https protocol, for example: https://mydomain.by/page/, path to a new sitemap.xml file, for example: https://mydomain.by/sitemap.xml.
• Edit the robots.txt file. This file must be the same for both versions of the site, which must be accessible via both http and https.
You can monitor the status of the certificate using special services:
SSL Server Test – will help you get extended information about the certificate;
Symantec CryptoReport – will help you verify that the certificate is installed correctly.
The best time to move is to choose a season that is quiet in your business, so that a possible decrease in traffic in the first weeks after the move will have a minimal effect on sales. The annual report of Google.Analytics or Yandex.Metrica will help you navigate.
Next, follow the step-by-step instructions for moving the site to the https protocol:
• Add a new site accessible via the https protocol to the Yandex Webmaster panel, and for the version of the site accessible via the http protocol, you need to add the https protocol in the "Indexing Settings" - "Moving Site" section.
• If sites using the http and https protocols were previously recognized as mirrors, and the http version was considered the main mirror, then this can be changed in the "Indexing settings" - "Main mirror" section. The mirror regluing procedure itself can take about 1-3 weeks, during this period the site positions in Yandex may jump, but everything returns to normal after the mirrors are glued together.
• Add a new https-accessible site to Google Search Console.
• Wait for the “gluing” of domains in the Yandex Webmaster panel.
• Update the site URL in:
profiles in social networks;
in Google Analytics and/or Yandex Metrica systems.
• For the site version accessible via the https protocol, add the addresses of the most important and traffic pages manually for quick reindexing in the Yandex Webmaster panels ("Tools" > "Page Recrawl") and Google Search Console ("Crawling" > "View as Googlebot") ").
Further, following the recommendations of Yandex, you can set up 301 redirects from http pages to https pages of the site.
• To correctly track referrals to your site on all pages, add the “referrer” meta tag:.
• Check in the Yandex Webmaster and Google Search Console panels:
correct assignment of the region;
adding updated file sitemap.xml.
• If possible, update the URLs of links on external resources, in particular in:
Yandex Directory;
Yandex Catalog;
Google Business.
• Update page addresses in advertising campaigns:
contextual advertising;
targeted advertising in social networks;
media advertising.
• If you place partner banners on the site of your store and have a percentage of sales to the customers you brought, then you would not want to lose it. The fact is that when a user moves from an https site to an http site, referral data disappears, such a transition will be regarded as direct, and the merits of the https site will be invisible. Therefore, before closing the tag, you need to add a meta tag that will allow you to transfer the protocol and your website domain to determine the traffic source.
• Resetting TIC, likes and sharing. After re-indexing and gluing mirrors, the TCI will return again, and to confirm the popularity of your pages among buyers, Facebook and Google+ offer to generate special buttons that will make available all the accumulated likes and reposts in social networks.
• Different content on http and https pages. In order for the transition of the site from http and https to be adequately perceived by search engines, the content on the pages of the two versions must be identical.
• Old versions of libraries. Use the latest TLS libraries as older versions of OpenSSL are vulnerable.
• Specifying a server name is not supported. Check if your web server supports SNI, which is supported by all modern browsers.
Even if you did everything right, you could still miss some http file. And then an exclamation mark or even a pop-up window with a warning about an insecure connection will appear in the browser line, which indicate that not everything is going smoothly. In order to avoid mistakes, you need to familiarize yourself with the most popular of them and test the site after the move:
• An expired certificate. Don't forget to renew your certificate!
• Self-signed certificate. If you use a free certificate that is not supported by browsers, when you go to the site from a secure protocol, a warning appears that user data can be stolen by intruders. Not only does this message scare away visitors. So not everyone will guess that it is still possible to go to this site by clicking on the word "Additional". Therefore, use trusted certificates from reputable providers - this is a small price to pay for trusting your site.
• Incorrect completion of the certificate. Check all the data entered when filling out and installing the certificate. Specify the hostname to which the certificate is registered.
• Mixed content. If a green padlock does not appear in the browser line after switching to a secure connection, then something is wrong. By clicking on the Information icon, you can see that everything is fine with the certificate, the connection is secure, but the site uses some content available via the http protocol.
• Pay attention to downloading illustrations, external code and widgets from external sites. For sites using the https protocol, there may be problems with displaying downloaded external resources - a "mixed content" certificate error. Ideally, all code, files, and illustrations should be downloaded from your site.
To identify insecure content, you can search for it manually or use special programs (for example, ScreamingFrog or SEO Spider) to fix this error.
• Decreased page loading speed. In principle, this is not even an error, but an inevitable consequence of the transition to a secure protocol. But you can avoid this by using a web server that supports the HSTS mechanism, which allows you to exclude incorrect redirects and speed up page loading. When using this mechanism, the browser will request pages through a secure protocol, even if the user enters a site in the address bar using the http protocol.
• When testing a site, be sure to check that all pages on the site return a 200 response code, and non-existent pages return 404. Also check the site for links to redirects.
After receiving the SSL certificate files, it must be installed on the domain. One of the easiest ways is to install via cPanel.
- In the "Security" section, open the item SSL/TLS
- In the window that opens, select "Private keys (KEY)”
and enter PrivateKey in a special field (the value of this key was sent to your e-mail when ordering a certificate)
- Return to the SSL/TLS page. Select Certificates (CRT):
- Upload the certificate file using the “Choose a certificate file (*.crt)” button. You can enter any description, for example “Certificate for the site”
- Return to the SSL/TLS page. Install Set up and manage SSL for you site (HTTPS):
- Select your domain from the drop-down list and click the “Autofill by Domain” button. Click the “Install Certificate” button at the end of the page.
- Your certificate has been installed!