{"id":334,"date":"2021-07-23T12:27:59","date_gmt":"2021-07-23T12:27:59","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/guide-to-ssl\/"},"modified":"2021-07-23T12:27:59","modified_gmt":"2021-07-23T12:27:59","slug":"guide-to-ssl","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/guide-to-ssl\/","title":{"rendered":"Guide to SSL"},"content":{"rendered":"<\/p>\n
\n
\n
\n

Valid for versions 92 through the latest version<\/em><\/p>\n<\/div>\n

\n

Version:<\/h4>\n

82<\/h4>\n

84<\/h4>\n

86<\/h4>\n

88<\/h4>\n

92<\/h4>\n<\/div><\/div>\n
\n

Overview<\/h2>\n

SSL\/TLS (Secure Sockets Layer\/Transport Layer Security) encrypts information between a visitor\u2019s browser and a server. These protocols protect against electronic eavesdroppers. This also protects sensitive communications (for example, credit card numbers and login information).<\/p>\n

Both of these protocols initiate a handshake, during which your server and the user\u2019s computer agree on specific conditions. These conditions include a set of public and private keys. Both computers use these keys to encrypt and decrypt messages transmitted during communication.<\/p>\n

\n
Important:<\/div>\n
\n

cPanel & WHM supports Transport Layer Security (TLS) protocol version 1.2 and Transport Layer Security (TLS) protocol version 1.3:<\/p>\n

    \n
  • cPanel & WHM only supports TLSv1.2 or newer. The system enables TLSv1.2 by default.<\/li>\n
  • Not all internet browsers or clients will support TLSv1.3, which requires OpenSSL 1.1.1 or higher.<\/li>\n<\/ul><\/div>\n<\/div>\n
    \n
    Note:<\/div>\n
    \n
      \n
    • \n

      You can set up SSL\/TLS for your server and configure how SSL\/TLS certificates run in cPanel\u2019s SSL\/TLS<\/em> interface (cPanel >> Home >> Security >> SSL\/TLS<\/em>).<\/p>\n<\/li>\n

    • \n

      cPanel, L.L.C. does not<\/strong> offer free signed or self-signed hostname certificates for cPanel DNSOnly\u00ae servers.<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n

      SSL certificates<\/h2>\n

      An SSL certificate is an electronic document that digitally binds a public key to an identity. This helps secure the connection between a web browser and a website. An SSL certificate serves the following functions:<\/p>\n

        \n
      • \n

        Encryption \u2014 Encodes data. This helps to ensure that if someone intercepts the transmission, they cannot understand it.<\/p>\n<\/li>\n

      • \n

        Identification verification \u2014 This ensures that you connect to the correct server.<\/p>\n<\/li>\n<\/ul>\n

        \n
        Note:<\/div>\n
        \n
          \n
        • SSL certificates review domain names literally. For example, SSL interprets www.example.com<\/code> and example.com<\/code> as two different domains.<\/li>\n
        • The Common Name (CN) entry of an SSL certificate is cosmetic and does not<\/strong> affect the security of a certificate.<\/li>\n
        • An SSL certificate\u2019s CN does not<\/strong> need to be the main domain. The certificate covers all<\/em> domains listed in the certificate\u2019s Subject Alternative Name (SAN) field.<\/li>\n<\/ul><\/div>\n<\/div>\n

          SSL key security<\/h4>\n

          When you generate an SSL certificate, you can select the type of key that your SSL certificate uses. You can also select the type of key the system uses by default when generating SSL certificates:<\/p>\n

            \n
          • In WHM, use either WHM\u2019s SSL\/TLS Configuration<\/em> interface (WHM >> Home >> SSL\/TLS >> SSL\/TLS Configuration<\/em>) or the Default SSL\/TLS Key Type<\/em> setting in WHM\u2019s Tweak Settings<\/em> interface (WHM >> Home >> Server Configuration >> Tweak Settings<\/em>).\n
            \n
            Note:<\/div>\n
            \n

            This setting only<\/strong> applies to cPanel users who do not<\/strong> set a default key type.<\/p>\n<\/p><\/div>\n<\/div>\n<\/li>\n

          • In cPanel, use the SSL\/TLS<\/em> interface (cPanel >> Home >> Security >> SSL\/TLS<\/em>).<\/li>\n<\/ul>\n
            \n
            Important:<\/div>\n
            \n

            When selecting a new default key type, the system performs an AutoSSL run. This updates all<\/strong> installed AutoSSL-issued certificates to use the new key type.<\/p>\n<\/p><\/div>\n<\/div>\n

            Certificate types<\/h3>\n

            When you work with SSL, you may encounter the following types of SSL certificates:<\/p>\n

              \n
            • \n

              Single-domain<\/strong> \u2014 This certificate type secures a single domain or subdomain.<\/p>\n<\/li>\n

            • \n

              Multi-domain<\/strong> \u2014 This certificate type secures many domains with one certificate. It is also called a Unified Communications\/Subject Alternate Name (UC\/SAN) certificate.<\/p>\n

              \n
              Note:<\/div>\n
              \n

              You must<\/strong> reissue a multi-domain certificates each time you add a new hostname.<\/p>\n<\/p><\/div>\n<\/div>\n<\/li>\n

            • \n

              Self-signed<\/strong> \u2014 This certificate type does not<\/strong> verify the identity of the server and does not<\/strong> require a CA. These certificates are not<\/strong> secure. Visitors\u2019 browsers will display a warning when they access the site. You can create a self-signed SSL certificate in WHM\u2019s Generate an SSL Certificate and Signing Request<\/em> interface (WHM >> Home >> SSL\/TLS >> Generate an SSL Certificate and Signing Request<\/em>).<\/p>\n

              \n
              Important:<\/div>\n
              \n

              We strongly<\/strong> recommend using a valid signed<\/strong> certificate if your website handles sensitive data.<\/p>\n<\/p><\/div>\n<\/div>\n<\/li>\n

            • \n

              Shared SSL<\/strong> \u2014 This certificate type allows you to secure multiple domains with the same SSL certificate.<\/p>\n

              \n
              Note:<\/div>\n
              \n

              As of cPanel & WHM version 76, we do not<\/strong> support this type of certificate.<\/p>\n<\/p><\/div>\n<\/div>\n<\/li>\n

            • \n

              Wildcard<\/strong> \u2014 Any type of certificate that contains a wildcard (*<\/code>) domain. You can secure a domain\u2019s subdomains with a single certificate if they share an IP address. For example, you can use a wildcard for the *.example.com<\/code> domain to also secure the mail.example.com<\/code> and www.example.com<\/code> subdomains. However, this will not<\/strong> secure the to example.com<\/code> domain.<\/p>\n

              \n
              Note:<\/div>\n
              \n
                \n
              • \n

                You can apply a wildcard certificate to services in WHM\u2019s Manage Service SSL Certificates<\/em> interface (WHM >> Home >> Service Configuration >> Manage Service SSL Certificates<\/em>).<\/p>\n<\/li>\n

              • \n

                The root<\/code> user may install a wildcard certificate on a collection of subdomains for a single root<\/code> domain on multiple IP addresses. If this configuration uses multiple IP addresses, a user on the server cannot<\/strong> own the root<\/code> domain.<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n<\/li>\n<\/ul>\n

                SNI support<\/h3>\n

                Server Name Indication (SNI) support allows you to host multiple SSL certificates for different domains on the same IP address. At the beginning of the handshake process, SNI indicates the hostname to which the client connects. Users on shared servers that support SNI can install their own certificates without a dedicated IP address.<\/p>\n

                \n
                Note:<\/div>\n
                \n

                cPanel & WHM servers do not<\/strong> support SNI for the FTP service.<\/p>\n<\/p><\/div>\n<\/div>\n

                Certificate authorities<\/h2>\n

                Your Certificate Authority (CA) is the trusted third-party entity that issues your SSL certificates.<\/p>\n

                CA bundle files<\/h3>\n

                Generally, when you purchase an SSL certificate, the CA will provide you a CA bundle file. Some providers will send you the bundle file as a .cab<\/code> or .zip<\/code> file, others provide the files individually, and some will provide you a URL to download the bundle file.<\/p>\n

                A bundle file will contain the following details about the SSL certificate:<\/p>\n

                  \n
                • \n

                  The CA that issued the certificate.<\/p>\n<\/li>\n

                • \n

                  Any of the CA\u2019s certificates, root or intermediate.<\/p>\n<\/li>\n

                • \n

                  The chain of trust for the issuer.<\/p>\n

                  \n
                  Note:<\/div>\n
                  \n

                  A CA can vouch for other CAs, which results in a chain of trust. For a CA to sell certificates, another CA must vouch for them.<\/p>\n<\/p><\/div>\n<\/div>\n<\/li>\n

                • \n

                  Certificate Revocation Lists (CRLs).<\/p>\n<\/li>\n<\/ul>\n

                  \n
                  Note:<\/div>\n
                  \n
                    \n
                  • \n

                    The order of files in a bundle is important. If the CA sends individual files, we recommend that you ask them to pack them into a bundle file for you.<\/p>\n<\/li>\n

                  • \n

                    Bundle files for EV (Extended Validated) certificates may contain more files than certificates than OV (Organization Validated) and DV (Domain Validated) certificates.<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n

                    Browsers include a list of trusted CAs, and they use the list to determine whether to trust a specific CA.<\/p>\n

                    You can locate a domain\u2019s CA bundle with either of the following UAPI functions:<\/p>\n

                      \n
                    • \n

                      SSL::get_cabundle<\/code><\/p>\n<\/li>\n

                    • \n

                      SSL::fetch_key_and_cabundle_for_certificate<\/code><\/p>\n<\/li>\n<\/ul>\n

                      You can install a CA bundle in either of the following interfaces:<\/p>\n

                        \n
                      • \n

                        cPanel\u2019s Manage SSL Sites<\/em> interface (cPanel >> Home >> Security >> SSL\/TLS >> Manage SSL Sites<\/em>).<\/p>\n<\/li>\n

                      • \n

                        WHM\u2019s Install an SSL Certificate on a Domain<\/em> interface (WHM >> Home >> SSL\/TLS >> Install an SSL Certificate on a Domain<\/em>).<\/p>\n<\/li>\n<\/ul>\n

                        You can also use the UAPI SSL::install_ssl<\/code> function to install a CA bundle.<\/p>\n

                        CAA records<\/h3>\n

                        A Certification Authority Authorization (CAA) record specifies which CAs may issue certificates for a domain. If no CAA records exist for a domain, all CAs can issue certificates for that domain. You can manage CAA records through WHM\u2019s DNS Zone Manager<\/em> interface (WHM >> Home >> DNS Functions >> DNS Zone Manager<\/em>) or through cPanel\u2019s Zone Editor<\/em> interface (cPanel >> Home >> Domains >> Zone Editor<\/em>).<\/p>\n

                        If conflicting CAA records already exist, you must<\/strong> either remove the current CAA records or add one for the desired CAA. For example, a CAA record for Sectigo would resemble the following example, where example.com<\/code> represents the domain name:<\/p>\n

                        \n
                        example.com.    86400<\/span>   IN  CAA 0<\/span> issue \"sectigo.com\"<\/span><\/code><\/pre>\n<\/div>\n
                        Similarly, a CAA record for Let\u2019s Encrypt would resemble the following example, where example.com<\/code> represents the domain name:<\/p>\n
                        \n
                        example.com.    86400<\/span>   IN  CAA 0<\/span> issue \"letsencrypt.com\"<\/span><\/code><\/pre>\n<\/div>\n
                        AutoSSL<\/h2>\n
                        AutoSSL secures multiple domains with the assumption that all of the domains resolve to the same virtual host. A cPanel-issued AutoSSL certificate expires after 90 days. However, AutoSSL attempts to automatically replace that certificate before it expires.<\/p>\n
                        If your hosting provider has enabled notifications for AutoSSL, the system will send you an email when it generates or renews an AutoSSL certificate for a domain.<\/p>\n
                        \n
                        Important:<\/div>\n
                        \n
                          \n
                        • \n
                          You can use the cPanel (powered by Sectigo) provider to secure up to 1,000 domains per certificate.<\/p>\n<\/li>\n
                        • \n
                          AutoSSL does not<\/strong> issue certificates for websites on suspended accounts. You must<\/strong> first activate the account in order for AutoSSL to issue a certificate.<\/p>\n<\/li>\n
                        • \n
                          AutoSSL adds service subdomains to the SSL certificate using a sort algorithm. For more information about service subdomains, read our Service and Proxy Subdomains documentation.<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n
                          AutoSSL sorting<\/h3>\n
                          AutoSSL uses a sort algorithm to establish which domains to add to the certificate first. This sort order ensures that the system adds the domains that customers will most likely visit to the certificate first. For example, customers most likely intend to navigate to example.com<\/code> versus www.subdomain.example.com<\/code>.<\/p>\n
                          The default sort algorithm prioritizes domains in the following order:<\/p>\n
                            \n
                          1. \n
                            Any fully-qualified domain names (FQDNs) that the virtual host\u2019s current SSL certificate secures.<\/p>\n<\/li>\n
                          2. \n
                            The primary domain on the cPanel account and its ipv6<\/code>, www.<\/code> and mail.<\/code> subdomains.<\/p>\n<\/li>\n
                          3. \n
                            Each addon domain and its www.<\/code> and mail.<\/code> subdomains. For example, the example<\/code> cPanel user (whose primary domain is example.com<\/code>), creates the foo.com<\/code> addon domain. This addon domain, like all cPanel addon domains, exists on a separate virtual host with a subdomain. In this case, the system prioritizes foo.com<\/code> over foo.example.com<\/code>.<\/p>\n<\/li>\n
                          4. \n
                            Domains with fewer dots. For example, AutoSSL would prioritize foo.com<\/code> over of www.foo.com<\/code>.<\/p>\n<\/li>\n
                          5. \n
                            The www<\/code>, mail<\/code>, whm<\/code>, webmail<\/code>, cpanel<\/code>, autodiscover<\/code>, and webdisk<\/code> subdomains.<\/p>\n
                            \n
                            Note:<\/div>\n
                            \n
                            AutoSSL only adds the whm<\/code> service subdomain to the SSL certificate for reseller accounts.<\/p>\n<\/p><\/div>\n<\/div>\n<\/li>\n
                          6. \n
                            Shorter domains.<\/p>\n<\/li>\n<\/ol>\n
                            AutoSSL providers<\/h3>\n
                            The cPanel (powered by Sectigo) provider<\/h4>\n
                            By default, cPanel & WHM uses the cPanel (powered by Sectigo) provider. It is free and comes with your cPanel & WHM license.<\/p>\n
                            The Let\u2019s Encrypt plugin<\/h4>\n
                            You can install the Let\u2019s Encrypt\u2122 AutoSSL plugin. This lets you select Let\u2019s Encrypt as a provider. For more information about the plugin, read our Let\u2019s Encrypt Plugin documentation.<\/p>\n
                            The Let\u2019s Encrypt provider has the following limitations:<\/p>\n
                              \n
                            • \n
                              A rate limit of 300 certificate orders every three hours<\/strong>.<\/p>\n<\/li>\n
                            • \n
                              A weekly<\/strong> limit of 50 registered domains.<\/p>\n<\/li>\n
                            • \n
                              A maximum<\/strong> of 100 subdomains per certificate.<\/p>\n<\/li>\n
                            • \n
                              Limits the certificates it issues to a specific set of domains to five certificates per week<\/strong>. After this, Let\u2019s Encrypt blocks any further certificates for that set of domains.<\/p>\n
                              \n
                              Note:<\/div>\n
                              \n
                              To work around this rate limit, create an alias to a domain in the virtual host list (website). Let\u2019s Encrypt will interpret the virtual host as a new set of domains.<\/p>\n<\/p><\/div>\n<\/div>\n<\/li>\n<\/ul>\n
                              For more information about Let\u2019s Encrypt\u2019s rate limits, read their rate limit documentation.<\/p>\n
                              Domain and rate limits<\/h3>\n
                              The AutoSSL feature includes the following limitations and conditions:<\/p>\n
                                \n
                              • \n
                                A domain\u2019s DNS zone contains CAA records. These CAA records restrict which CAs may issue certificates for that domain. If a CAA record for another provider already exists, you can remove that CAA record or add one for the desired CA. If no CAA records exist for a domain, all CAs can issue certificates for that domain.<\/p>\n
                                  \n
                                • Your server\u2019s DNS zone can have more than one CAA record to receive certificates from more than one CA.<\/li>\n<\/ul>\n<\/li>\n
                                • \n
                                  Each AutoSSL provider may use a specific domain rate limit:<\/p>\n
                                    \n
                                  • \n
                                    Certificates that cPanel, L.L.C. provides through AutoSSL can secure a maximum<\/strong> of 1,000 domains per certificate (Apache virtual host). The following demonstrates these limitations for the cPanel AutoSSL provider:<\/p>\n
                                      \n
                                    • Virtual host with 1,000 domains \u2014 AutoSSL secures every domain on the virtual host.<\/li>\n
                                    • Virtual host with 1,002 domains \u2014 AutoSSL can only<\/strong> secure up to 1,000 of the virtual host\u2019s domains. AutoSSL chooses which domains to secure by sorting those domains which pass Domain Control Validation (DCV) and taking the first 1,000.<\/li>\n<\/ul>\n<\/li>\n
                                    • \n
                                      Certificates that Let\u2019s Encrypt provides can secure a maximum of 100 domains every three hours<\/strong>.<\/p>\n<\/li>\n
                                    • \n
                                      Aliases count three times<\/strong> towards each certificate\u2019s domains limit. When you create an alias domain, the system adds the following aliases to the original virtual host (where aliasdomain.com<\/code> represents the alias domain):<\/p>\n
                                        \n
                                      • aliasdomain.com<\/code><\/li>\n
                                      • www.aliasdomain.com<\/code><\/li>\n
                                      • mail.aliasdomain.com<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n
                                      • \n
                                        AutoSSL only<\/strong> includes domains and subdomains that pass a DCV test. This DCV proves ownership of the domain.<\/p>\n<\/li>\n
                                      • \n
                                        AutoSSL includes corresponding www.<\/code> domains for each domain and subdomain in the certificate, and those www.<\/code> domains count towards any domain or rate limits. For example, for the example.com<\/code> domain, AutoSSL automatically includes www.example.com<\/code> in the certificate. If the corresponding www.<\/code> domain does not<\/strong> pass a DCV test, AutoSSL will not<\/strong> attempt to secure that www.<\/code> domain.<\/p>\n
                                          \n
                                        • This method affects Let\u2019s Encrypt\u2019s limit of 50 certificates per week that may contain a domain or its subdomains.<\/li>\n<\/ul>\n<\/li>\n
                                        • \n
                                          The default cPanel AutoSSL provider does not<\/strong> secure wildcard domains. However, the Let\u2019s Encrypt provider will secure wildcard domains.<\/p>\n<\/li>\n
                                        • \n
                                          Each AutoSSL provider may wait for a specific amount of time to replace an AutoSSL-provided certificate before it expires. For example:<\/p>\n
                                            \n
                                          • \n
                                            AutoSSL attempts to renew certificates that cPanel, L.L.C. provides when they expire within 15 days.<\/p>\n<\/li>\n
                                          • \n
                                            AutoSSL attempts to renew certificates that Let\u2019s Encrypt provides when they expire within 29 days.<\/p>\n<\/li>\n
                                          • \n
                                            Due to rate limits, AutoSSL prioritizes new certificates over the renewal of existing certificates.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n
                                          • \n
                                            AutoSSL will not<\/strong> attempt to replace certificates that it did not issue. You can override this behavior if you enable the Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates<\/em> setting in WHM\u2019s Manage AutoSSL<\/em> interface (WHM >> Home >> SSL\/TLS >> Manage AutoSSL<\/em>).<\/p>\n<\/li>\n
                                          • \n
                                            AutoSSL replaces certificates with overly-weak security settings. For example, an RSA modulus of 2048-bit or less.<\/p>\n<\/li>\n
                                          • \n
                                            A virtual host may contain more than the provider\u2019s limit of domain names per certificate. AutoSSL uses a sort algorithm to determine the priority of domains to secure. For more information, read the AutoSSL sorting section above.<\/p>\n<\/li>\n<\/ul>\n
                                            How to Manually Renew AutoSSL Certificates<\/h3>\n
                                            AutoSSL provides and renews SSL certificates. AutoSSL attempts to renew certificates that cPanel, L.L.C. provides when they expire within 15 days. AutoSSL attempts to renew certificates that Let\u2019s Encrypt provides when they expire within 29 days. You can also manually renew certificates prior to the next automated run.<\/p>\n
                                            To manually renew a certificate for a single cPanel user:<\/h4>\n
                                              \n
                                            1. Log in to cPanel as the user.<\/li>\n
                                            2. Navigate to cPanel\u2019s SSL\/TLS Status<\/em> inferface (cPanel >> Security >> SSL\/TLS Status<\/em>).<\/li>\n
                                            3. Select Run AutoSSL<\/em>.<\/li>\n<\/ol>\n
                                              To manually renew a certificate before revocation:<\/h4>\n
                                                \n
                                              1. Log in to cPanel as the user.<\/li>\n
                                              2. Navigate to cPanel\u2019s Manage SSL Sites<\/em> interface (cPanel >> Security >> SSL\/TLS >> Manage SSL Sites<\/em>).<\/li>\n
                                              3. Delete the affected certificate.<\/li>\n
                                              4. Navigate to cPanel\u2019s SSL\/TLS Status<\/em> inferface (cPanel >> Security >> SSL\/TLS Status<\/em>).<\/li>\n
                                              5. Select Run AutoSSL<\/em>.<\/li>\n<\/ol><\/div>\n","protected":false},"excerpt":{"rendered":"
                                                Valid for versions 92 through the latest version Version: 82 84 86 88 92 Overview SSL\/TLS (Secure Sockets Layer\/Transport Layer Security) encrypts information between a visitor\u2019s browser and a server. These protocols protect against electronic eavesdroppers. This also protects sensitive communications (for example, credit card numbers and login information). Both of these protocols initiate a …<\/p>\n","protected":false},"author":1,"featured_media":335,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/334"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=334"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/334\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/335"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}