Securing Your Connections through SSL

H-Sphere User Guide

Securing Your Connections through SSL and Shared SSL

For more information contact us at support@tokios.com.com

SSL (Secure Sockets Layer protocol) is a standard for transmitting confidential data such as credit card numbers over the Internet. Most true business sites support this feature which allows more security in data transmitted over the WWW. This is the standard minimum security level for true business on the Internet. SSL works by using a private key to encrypt data that is transferred over the SSL connection. To read more about what is SSL and how it works, go to http://www.modssl.org/docs/2.8/index.html

You can secure transfer of the confidential data on your site through:

using the key and certificate you already have;
creating a temporary key and certificate;
acquiring a permanent key and certificate from a trusted Certificate Authority.
using your provider's certificate (Shared SSL)

Using the Key and Certificate You Already Have

SSL requires a dedicated IP because name-based hosting does not support data encryption in HTTP requests. To enable SSL, go to the Web Service page and click the ON/OFF button in the SSL Support field.

If you are migrating from a different provider and already have an SSL private key and certificate, just enter them into the boxes that appear:

Creating a Temporary Certificate

The only difference between the temporary and permanent certificates is that the first is not generated by trusted Certificate Authorities. Thus, when users enter your site they will get the "unknown certification authority" warning window.

To generate a new temporary SSL private key and certificate, click the link at the top of the form.

In the next window, confirm your data by clicking the Submit button. These data are required to generate the certificate. Don't make changes to the data if you are not sure about the purpose of these changes:

After you have submitted the form, the following is generated:

SSL Certificate Signing request. It includes the details that you submitted on the previous step. Use this request if you want to get a permanent SSL certificate from a trusted Certificate Authority, such as Thawte and VeriSign (see below).
SSL Server Private Key. This is the secret key to decrypt messages from your visitors. It must be stored in a secure place where it is inaccessible to others.
Temporary SSL Certificate. It validates your identity and confirms the public key to assure the visitors that they are communicating with your server, not any other party.

Now that you press the Submit Query button, your site will become secured with your temporary SSL pair.

Acquiring a Permanent Certificate

To get a permanent certificate, you first need to generate a certificate signing request. It includes your details and is generated as you create a temporary SSL certificate (see above). Copy this signing request so you can use it later.

As the next step, go to Thawte, VeriSign, or any other Certificate Authority and choose to get a new certificate. When requested, enter the signing request that you have saved.

After the permanent SSL Certificate has been generated, save it to a secure location. Then go to the Web Service page and click the Edit icon in the SSL field. Enter the certificate into the upper box of the form that opens:

Then click upload. Now your transactions are secured.

Using Your Provider's SSL Certificate (Shared SSL)

If your provider offers Shared SSL certificates, you can use them instead of purchasing a certificate of your own. Shared SSL certificate allows to secure multiple hosts within the same domain. For example, a certificate for ' *.domain.com ' could be used for 'user1.domain.com', 'user2.domain.com', 'user3.domain.com'. When your client checks the host name in this certificate it uses a shell expansion procedure to see if it matches.

Unlike a regular SSL certificate, it costs less, doesn't require a dedicated IP, and belongs to an equally trusted Certificate Authority. The disadvantage of shared SSL is that it can be used only with third level domains.

To secure your site with Shared SSL, go to the Web Service page and click the ON/OFF button in the Shared SSL Support field.

If you are using a second level domain (domain.com), you are asked to create a third level domain alias (e.g. domainalias.domain.com):

In the above example, the site at domain testik.com is made available both at the non-secured second level domain name address (http://testik.com) and at the secured third level domain alias address (https://testik.victor.psoft). Note that Shared SSL certificates work only within one domain level, i.e. for user1.domain.com and not for www.user1.domain.com. In the example above, the certificate will not work for www.testik.victor.psoft, and the users' browsers will show a warning message: "The name on the security certificate does not match the name of the site".

NOTE: When designing your pages set any internal links to images or frames as <a href='https://user.domain.com/images/example.jpg'> or simply <a href='/images/example.jpg'>. If you use the <a href='http://...> link, visitors' browsers will display the message "The page contains both secure and non-secure items". This is mot much of a problem in terms of security, since visitors may simply choose the "not display nonsecure items" option, but no graphics will be displayed.