This FAQ covers steps to be taken when you purchase an SSL certificate, such as: how to generate a private key, how to generate a CSR, etc. If you follow these simple instructions in order you should have no problem having your SSL certificate issued correctly.
- Decide which domain name or subdomain you want to secure. Please be aware that www.domain.com, domain.com, and secure.domain.com are technically three different domains, even though they all have the same base domain name of example.com. Because there's been so much confusion over whether to include/cover the "www.", which is typical and normal to use for the majority of websites, GeoTrust and other SSL certificate vendors have now started automatically includes the base domain name when you generate one for the domain name with "www" (www.domain.com).
Unless you plan to secure a subdomain (i.e.- secure.yourdomain.com, members.yourdomain.com, etc) we recommend using www.yourdomain.com. This will secure both www.yourdomain.com and yourdomain.com. - Decide on an "approver email address" to use, and create an email forward for that, if necessary.
cPanel -> Mail -> Forwarders.
In order to guard against fraud and to verify that you are who you say you are (and have access to the domain name that you are purchasing an SSL certificate for), an email will be sent to an email address associated with your domain name. The email will contain a link to the SSL vendors' website and you will need to click "I Approve" in order to authorize the SSL certificate to be issued.
We recommend using "postmaster@yourdomain.com." Why? Because the SSL certificate vendor have certain generic email addresses hard-coded into their list of acceptable email addresses.
In addition, the email address you give as an "Approver Email" address will also be hard-coded into your certificate, which means this email address will be made public, just as the email address used in any WhoIs contact information for a domain name. It needs to be a valid email address, and yet it's not normally advisable to use your main email address (unless you really like spam!). The thing is, people, even companies, change email addresses on ocassion. This is why we suggest using an email forward, which can be forwarded to any email address you regularly check while still protecting your main email address from spammers. Should you change your main email address, you can edit the forward to send it to your new email address seemlessly.
We recomment using/creating "postmaster@yourdomain.com" as an email forward because it's always one of the options offered by all SSL vendors and it's an email mailbox (or forward) every domain name is supposed to have created anyway, per RFC 5321 and RFC 822. The other contact option all SSL vendors allow is to use the contact email address listed on your domain names' WhoIs. - Create a private key. Login to cPanel, go to Security -> SSL/TLS Manager. Next under the Private Keys section, click "Generate, view, upload or delete your private keys."
If you've already generated a private key you can upload it or paste it into the textarea box (make sure it's for the same exact domain/subdomain you wish to secure), otherwise go to the bottom to Generate a New Key.
Choose the strongest encryption (the highest number for the key size) available from the drop-down list (which at this writing is 4,096 bits**). You can select the domain from the domain drop-down list or type it in within the "Host" text box on the left. Next click Generate. When you're done, click Return to SSL Manager.
**Do not create a 1,024 bit sized key, as it's a very old form of encryption which is no longer used, and most SSL certificate vendors will reject it. If you're not one of our hosting clients and your hosting company still uses an old version of cPanel (11.28 and prior), you will only have a choice between 1,024 bits and 2,048 bits. As of cPanel version 11.30 4,096 bit keys were added. The higher the number of bits in your private key, the harder it is to be cracked. - Generate a CSR (Certificate Signing Request). Click "Generate, view, or delete SSL signing requests", and fill in the form to create a CSR. Be sure of the information you include in the CSR, as it will be hard-coded into your SSL certificate and can't be changed once the certificate is issued.
If you set an Organization Name then you'll also need to set your Job Title. The Email should be the same as the Approver Email in step #2. It's important that all information you give in all steps of this process matches.
Choose a strong Pass Phrase and make note of it. I usually keep mine in a .txt file along with the key, CSR, and CRT (certificate) once it's issued, and stored in a safe place. It's one of those things that you'll likely never need, but if and when you do, it will be important (such as if you move your website to a new hosting company and need to reinstall the certificate).
Once the CSR is generated it will look like this:
- Copy the entire CSR (JUST AS IT IS FORMATTED, including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----, each on it's own line, just as it is) and paste into a .txt file (using NotePad or other TEXT editor - Microsoft Word is NOT a text editor). Save this .txt file and keep it handy for when you purchase your SSL certificate, as you will need it during the configuration process.
- Now you're ready to purchase the SSL certificate! Go to purchase your SSL certificate. Because the expiration date is hard-coded into the certificate itself, SSL certificates can't be renewed like a domain name. At the end of the certificates' term you will need to purchase a new certificate, generate a new CSR, and go through all this same rigamaroll to install it. That's why it's recommended that you purchase a certificate good for as many years as you can afford (and/or will use), because even when you've done it before, installing an SSL certificate is a time-consuming hassle. Certificates purchased for more than one year at a time will also save you some money per year.
Specify the domain name you wish to secure (from step #1) in the "Configure Your Order" part of the purchase process. Complete the payment portion of your purchase. - You will receive a couple of emails from us, sent to the email address on your Client Portal account (not the Approver Email - if different). The first will be to confirm your order (subject line "Order Confirmation"); the second email from us, with the subject line "SSL Certificate Configuration Required", will contain a link back to our site for you to configure your order, to enter the information for your certificate that will be submitted to the SSL Authority. When you click on the link you will be taken to this screen:
7a. Under Server Information choose your type of server from the Web Server Type drop-down list. For the vast majority of you, this will be cPanel/WHM:
7b. Paste your CSR (that you created in cPanel) into the CSR textarea box. As stated above (in step #5), paste it exactly as it is, including the BEGIN and END lines. You can copy those into the textarea box (over the ones that are already there, replacing them) or carefully copy just the encrypted portion and paste in between those lines. When you're done it should look like this:
7c. Make any corrections necessary to the Administrative Contact Information, which is be prefilled for you (taken from your contact information in your Client Portal account). Click the Click to Continue button at the bottom to continue to the next screen. Please be aware that this information will be hard-coded into your certificate, and thereby public to anyone who knows how to view an SSL certificate. This needs to be valid information, but there are ways to protect your privacy if you aren't a retail business, such as using a Google Voice phone number, a Post Office box, an email forward, etc. - Choose your "Approver Email" from the options listed.
Click to Continue and you should see a Configuration Complete confirmation screen.
- Review and Approve your order. Next you will receive an email from our SSL Authority (typically @geotrust.com), sent to the Approver Email address that you specified. The email will contain a link and the following instructions:
Please follow the above link and click either the I APPROVE or I DO NOT APPROVE button.
Follow the link and review the order. Unless you've entered the wrong information, everything should be correct, and you would want to click the I Approve button. - Your shiny new SSL certificate will be emailed to you by the SSL Authority, in just a few moments! The SSL certificate will be included in the text of the email, for you to copy and paste into the appropriate box in cPanels' SSL Manager.
Please see the "Installing an SSL Certificate" FAQ for installation instructions.
