SSL Certificates Overview
In this article, we will go in-depth about both what a SSL certificate is and how they work. For the purpose of this article, “SSL” and “TLS” certificates are one in the same as TLS is the predecessor to SSL certificates and current versions of cPanel support up to TLS 1.0 connections.
What is a SSL Certificate?
In this section, we will give a basic overview about what SSL certificates are. SSL stand for Secure Socket Layer, and it is a protocol that does two main things.
- 1) It encrypts all data sent between your visitors and the server helping to prevent 3rd party assailants from seeing the data as it moves over the internet.
- 2) It “certifies” your website telling your visitors browsers that this site is indeed the correct site and not some phishing site trying to take their information.
Now, you may be asking what the difference is between HTTPs and SSL, and the answer is… none! When you see HTTPs, it is telling you that the site is secured with a SSL certificate.
Why do I need a SSL?
For most websites you won’t need an SSL certificate. However if you work with any type of sensitive information (credit card details, medical records, or if you just want to secure your site’s login), it is highly recommended that you have a SSL certificate to help keep that information secure. In fact in some situations (mostly when dealing with credit card details or medical records), you are required to have some form of SSL certificate.
Depending on the purpose of your website, you may need to contact your credit card merchant or review HIPAA guidelines to find out if one is needed.
How do they work?
At its basic, it encrypts all data sent between the server and the user using a private and public key. The server holds the private key and sends out the public key to be used by the client when encrypting traffic sent from their computer. At the same time, the browser generates a public and private key and sends the public key back to the server so the server has a method of encrypting traffic.
So, you’ve decided you need to purchase an SSL certificate but can’t decide which one you need. We’ll help by breaking down the differences between each of the types of SSL certificates so you can find the one that will suit your needs.
PositiveSSL – $39.95/year
A PositiveSSL certificate is a great general certificate for times when general visitors will be visiting a secure section of your site such as their shopping cart or a login page where they would be providing sensitive information. PositiveSSL certificates are also domain name specific so, they can only secure 1 specific domain name such as “www.example.com” or “cart.example.com”. Some of the features included with a PositiveSSL are as follows:
- Cost-effective SSL certificate with easy validation
- Domain validation
- 256-bit encryption
- 99.9% browser compatibility
- $10,000 relying party warranty
- Unlimited re-issuance policy
- Site Seal included
PositiveSSL Wildcard – $149/year
A wildcard SSL certificate is one you would use if you needed to provide a secure connection to all areas of your site over multiple subdomains such as “www.example.com”, “cart.example.com”, and “login.example.com”. Using a Wildcard SSL certificate, will provide you with the ability to have a validated secure connection over all subdomains on your site. Some of the features included with a PositiveSSL Wildcard SSL certificate are as follows:
- Cost-effective, securing multiple subdomains with one certificate
- Domain validation
- 99.9% browser compatibility
- $10,000 relying party warranty
- Unlimited re-issuance policy
- Site Seal included
Differences between 2048 and 4096 bit RSA Keys
Before being able to purchase an SSL certificate, a Certificate Request and RSA Key must be generated to tie to the SSL certificate. When you reach this step, you are presented with an option of 2048 bit and 4096 bit key. Both of these are highly secure levels of encryption with 4096 being exponentially more secure than 2048 bit keys. But, being more secure, these are bigger and as such, take up more space and do take more CPU resources to decrypt. Some of the differences between these two encryption levels are as follows:
- 2048 bit keys
- Use less CPU than a longer key during encryption and authentication and keeps your visitors’ computers running well while visiting your site.
- Using less CPU means using less battery power. This is important for visitors accessing your site on mobile devices.
- 4096 bit keys
- Against some types of attacks, security is not just doubled with a 4096 bit key, it is exponential. 4096 is significantly more secure in this situation. If an attack is found that allows a 2048 bit key to be compromised in 10 hours, that does not suggest that a 4096 bit key can be cracked within 20 hours. The attack that can break a 2048 bit key in 50 hours may still need several years to break a 4096 bit key.
- Some types of keys such as a pgp key which is signed by many other people are desirable to keep for an extended period of time. In this context, the hassle of replacing all of the signatures may be extremely high and it is a good idea to have a future-proof key length.
As you can see, both of these keys do have their benefits and for most short term situations such as SSL certificates, 2048 bit keys are sufficient unless your SSL certificate provider requires a higher level of encryption.
How do I get one?
While we do allow SSL certificates provided by other issuers, we also provide the ability to purchases SSL certificates directly through Backstage.
For more information about how to order a SSL certificate, please contact us via live chat.
That’s a wrap!
We hope this article has been enlightening and that we have shed some light on how SSL certificates help make the internet a more secure place. If you ever have any questions, please feel free to leave a comment here. You can also open a ticket with our support team by vising the support tab in Backstage or by emailing us directly at [email protected]
Tony Rossetti February 1, 2014 at 4:40 pm
How do I determine the status of my SSL Cert?
James Davey February 3, 2014 at 8:34 am
Hi Tony,
There are a few ways, actually. The simplest is to right click on the secure icon in the address bar of your secure site, and view the certificate information there. A more comprehensive report can be retrieved from http://www.sslshopper.com/ssl-checker.html – this will tell you just about everything you need to know about your certificate.
Tony Rossetti February 6, 2014 at 5:56 pm
Got it. Thanks,
T.Rob May 3, 2015 at 2:23 pm
Please add an article with the procedure for installing certificates that are purchased privately. In the meantime, I’ll open a ticket with the request. Thanks!
James Davey May 4, 2015 at 5:38 am
Hello,
That article would be pretty short, as all you need to do is fill out the SSL Installation form under the AddOns tab in Backstage. Don’t order a new one, but request that one be installed.
T.Rob May 6, 2015 at 12:36 am
Awesome! Thanks! Perhaps that article, short as it may be, might explain how the private key gets deployed to the server? Because the SSL Installation form seems to assume the CSR was generated locally and there’s no place to put the key file.
James Davey May 6, 2015 at 5:13 am
Hello,
In that case, simply submit what you have, and our team will contact you requesting the rest :)
Xavier September 18, 2015 at 7:36 am
Hello,
Are you (Site5) considering supporting the new initiative “Let’s Encrypt”:
https://letsencrypt.org/
Supposedly it should be a painless (and free) way to add a SSL certificate to a website.
Thanks.
James Davey September 18, 2015 at 8:20 am
Hello Xavier,
We have looked at it and discussed it internally. It is quite interesting, but there are no plans to implement it in the near future. As with all technology and methods, however, we are watching it with interest, and may move toward it in the future.
John Colley February 9, 2016 at 6:28 pm
Now that letsencrypt.org is in public beta, have there been any further conversations about offering support for their SSL services?
James Davey February 10, 2016 at 5:21 am
We are still monitoring the technology to make sure it is right for us and our users. It certainly is interesting, and we hope to have an announcement on this soon.
James March 11, 2016 at 2:21 am
Letsencrypt has issued 1 million certs in just over 3 months… https://letsencrypt.org/stats/
That’s impressive. Hope Site5 are getting closer their announcement.
James Davey March 14, 2016 at 5:22 am
Hello James,
It is impressive, yes. However, implementing this is not a simple matter. It requires a review of how the technology interacts with the server setup, thorough testing, and deployment to a production server fleet.
We are aware of the desire for this, and we are not ignoring that. However, when we implement new tools we like to make sure they do not adversely affect the services we already offer.
John Colley March 14, 2016 at 9:33 am
Mr. Davey,
While it is very important to perform the testing and have an evaluation period for deploying new systems at large scale, we would really enjoy seeing Site5 commit by adding #letsencrypt to an official blog post or roadmap, else we remain less informed and have no way of knowing when we might utilize their very important free SSL service without having to switch hosting providers.
James Davey March 15, 2016 at 5:25 am
Hello John,
As soon as we have some concrete information on this for you, we will make an announcement.
Micah B May 21, 2016 at 5:15 am
I support “Let’s Encrypt” too and wish to see it deployed widely on Site5.com along with upgrade to TLS 1.2 but understand Site5 need to be ready to deploy and no rush into it.
Although I have been willing to pay for certificates for a couple of my domains I have many others that I would only if certificate free.
I guess I would have to pay for an ip address unless set up servers to do TLS/https on shared ip which most clients support now.
Give it a year or two and I am sure site5 will deploy. I would be tempted to move to host that offered this but hassle will stop me for a while. For my needs for now sticking with site5 is what I choose, as I have little time for messing with my hosting, and site5 has been pretty reliable for several years I have used them.
Vitor October 5, 2015 at 5:23 pm
It’s kind of crazy in Brazil are paid R $ 30.00 by COMODO Positive SSL ($ 7).
Ai, installation of Site5, I am required to pay more than double.
If it were 1 fixed amount for unlimited installations, I would agree. But $ 15 per installation, this is a bit expensive.
$ 1 = R $ 4.51 (BRL).
James Davey October 6, 2015 at 5:17 am
Hello Vitor,
The $15 charge is applied only on the first installation – renewing your certificate incurs no charge. When initially installing the SSL certificate, a dedicated IP address must be assigned and tested, then the certificate installed and verified. There is a shared SSL certificate available, if you do not wish to pay this installation fee.
David McGarva October 22, 2015 at 10:27 pm
I’m looking at the information posted 18 months ago on https://www.site5.com/blog/s5/heartbleed-openssl-security-issue/
What’s the progress with installing TLS 1.2? Accountservergroup now rates a C on ssllabs.com.
Corey Mahon October 23, 2015 at 9:48 am
Hi David! We are still working on adding TLS 1.2 support on our servers at this time. Unfortunately, we do not have an ETA on full deployment but we will be sure to notify all of our clients of this upgrade when it is enabled in the relatively near future!
Wade Phillips November 24, 2015 at 11:44 am
Is there a timeline in place for upgrading to TLS 1.2? It looks like we’re approaching a time where PCI compliance will no longer be possible with TLS 1.0 (4-1-2016).
Wade Phillips November 24, 2015 at 11:49 am
I’m sorry that should actually be no more TLS 1.0 on 6-30-2016.
James Davey November 24, 2015 at 12:15 pm
Hi Wade,
I do not have a strict timeline on this, no. We are aware of the pressing need for this, though, and you should expect this sooner rather than later.
amHammock July 1, 2016 at 4:34 pm
What is the status of TLS 1.2 support? Site5 is no longer PCI Compliant as of yesterday June 30, 2016:
https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/
We are seeing errors in iOS 9 accessing our site via https, even though Site5 has installed our 2048 bit SSL cert and it was all running successfully yesterday. We are not processing payments on the website, but apparently iOS 9 is using PCI Compliance standards with its App Transport Security requirements for https traffic and throwing an error.
You can test any website to see the security protocol versions with:
https://www.ssllabs.com/ssltest/
Our website on Site5 is still using TLS 1.0. Note that backstage.site5.com supports TLS 1.2
Please upgrade your customer accounts to use the required TLS 1.2 security protocols for PCI Compliance and Apple Transport Security
Corey Mahon July 4, 2016 at 8:20 am
We are currently in the progress of migrating all accounts to new, upgraded servers. The new servers are supporting TLS 1.2. If your site and server are still showing that TLS 1.0 is the version, you are most likely on an older server still and will be upgraded in the very near future!