Secure Hosting

From DreamHost

Contents 1 Introduction 2 Announcement 3 Terminology 4 Considerations and Caveats 5 Costs and Requirements 6 Set Up 7 Purchasing a Signed SSL Certificate 7.1 Option 1 7.2 Option 2 7.3 Option 3 8 How To Update Your Certificate 9 Renewals 9.1 Option 1 9.2 Option 2 10 Regenerating A CSR 10.1 Option 1 10.2 Option 2 11 Certificate Authorities 12 Troubleshooting 13 Contacting Support 14 Notes 15 External Links

Introduction

DreamHost allows you to set up Secure Hosting for any domain/sub-domain that you are hosting (under any active paid hosting plan). Secure Hosting allows for visitors/customers to access that domain/sub-domain using the SSL protocol which encrypts the data transmitted between their web browser and your web site. This is most often used for web sites that are doing eCommerce (selling products/services over the Internet). The reason for the increased security is to protect the privacy of visitors/customers transmission of personal, confidential, financial or billing (credit card) information over the Internet.

NOTE: Secure hosting is one of the most complicated features that we provide (aside from the various programming languages). This Wiki article will try to help introduce you to the terminology, technology, policies and procedures that are used to set it up and get things working properly. It's kind of like a "white knuckle" ride; scary the first time, but you get used to it the more you do it! ;-) I would recommend reading over this whole page several times if necessary until it starts to sink in. However if you do have any questions feel free to open a Support Request and ask us any questions you may have. See this section for detailed instructions on how to do that properly.

Announcement

Effective March 27, 2009 we will no longer be purchasing new or renewing signed SSL certificates through GeoTrust.

All new and renewed signed SSL certificates will be purchased directly from DreamHost SSL!

The main reasons for making this change:

• It's easier! Completely automated ordering, renewal, and installation, right from our panel!
• What!? You needed more reasons than that!? Come on!

DreamHost SSL signed certificate specifications;

• Domain validated certificate (single)
• 1024 bit Industry Standard SSL Certificate
• Trusted by all popular Browsers
• 99.3% Browser Compatibility
• 128/256 bit encryption
• Support (via e-mail & web)

Terminology

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, faxing, instant messaging and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same.

Considerations and Caveats

The Secure Hosting service that we provide for our customers does NOT support "wildcard" (*.mydomain.com) type SSL certificates. That means that each domain or sub-domain that you want to set up secure hosting on will require its own unique IP address and SSL certificate. Please don't contact support asking "when will you provide support for wildcard SSL certificates?", it's probably never going to happen. Sorry.

As stated above secure hosting is set up on a domain/sub-domain basis. Although normal (insecure) hosting can be configured to accept connections for both "http://www.mydomain.com/" AND "http://mydomain.com/" secure hosting does not work the same way. When you set up secure hosting it will only accept connections for "https://www.mydomain.com/" OR "https://mydomain.com/", but not both. When someone attempts to connect to the wrong one they will get a SSL certificate "domain mismatch" error. And that's not good!

Some customers set up a completely new sub-domain to host their secure site (ie: "https://secure.mydomain.com/"). They may not even set up a regular/insecure hosting option for that sub-domain. Or they may set up a "redirect" option for the regular hosting that redirects connections to the secure hosting instead. However, this type of set up can be difficult to manage and most modern shopping cart applications (like Zen Cart which is one of our features One_Click_Installs) don't require a separate domain. It's actually easier to configure when the secure hosting is on the same domain as the main catalog site.

For simplicity's sake our recommendation is to set up secure hosting that is consistent with your main domains hostname.

For example, it's best if your main domain is configured to work either with or without the "www" sub-domain. Since the "www" sub-domain prefix is quite outdated already I would personally recommend using your domain name without "www". You can update the hosting configuration for the regular/insecure hosting of your domain on our CONTROL PANEL by going to menu option (DOMAINS > MANAGE DOMAINS). Click on the "Edit" link under the "Web Hosting" section. If your domain is currently configured to be "fully hosted" you'll see the options on that page to select whether or now you want to use Both, add "www", OR remove "www". If you select either add "www", OR remove "www" requests will actually work both ways but will be rewritten internally by the Apache process to whatever you have the domain configured to use. This is perfectly safe to use, unless you have installed software on that domain that is configured internally to rewrite its URL to use the opposite of what you've just selected. The trick here is to reconfigure your installed software (ie: WordPress, Joomla, ZenCart, etc.) to use the URL you intend to use. Then update the hosting configuration in our control panel to match. Once you've done that you're golden!

Now that you've got your regular/insecure domain set to use with OR without "www" you can set up your secure hosting to match. This will keep things nice and consistent. Consistency is a very good thing!

NOTE: Our (DreamHost SSL) signed SSL certificates do provide an extra feature that DOES allow it to work for both with OR without "www" automatically. However, it is recommended that you still set up your secure hosting for the correct domain and not fall-back on this feature to catch any mistakes.

NOTE: By setting up secure hosting on your domain it does not mean all web traffic will necessarily be encrypted! Whether your web traffic is encrypted or not depends on what protocol you use (which is determined by the URL). For example, if you go to "http://mydomain.com/" (using the "http" protocol) your traffic will NOT be encrypted. Any directory you access (URI) under that domain (while using the "http" protocol) will not be encrypted. However, if you go to "httpS://mydomain.com'" (using the "httpS" protocol) your traffic WILL be encrypted as well as any directory (URI) you access. The S in "httpS" was capitalized just to make it stand out. The capitalization of the protocol doesn't matter. What this all means is that you can specify what gets encrypted by specifying which protocol to use in your URL (links). You can configure your shopping cart software (or whatever you want to use encryption) to use "https" when things should be encrypted (like taking personal and credit card information) and to use "http" for everything else, like your sales catalog, etc.. Shopping cart software will build the links automatically according to the configuration you specify.

If you have not already done so you'll need to add a unique IP address to the domain/sub-domain that you want to set up secure hosting in. You can add one before setting up secure hosting or you can add it during the secure hosting set up process. Whenever you add or remove a unique IP address the DNS information for your domain will have to be updated to reflect this change. As with all DNS changes it can take between 4-72 hours for the DNS changes to fully propagate throughout the Internet. If your domain is configured to use our name servers for DNS resolution (NS1.DREAMHOST.COM, NS2.DREAMHOST.COM & NS3.DREAMHOST.COM) this change is usually transparent. We continue to keep the original hosting services active for 5 days on the old IP address so that there is no down-time during the DNS change propagation. After 5 days the old hosting services are automatically disabled leaving only the new services operational using the new unique IP address. This all happens behind the scenes so you don't really have to worry about it. But many customers ask about this so I figured I'd put it in the Wiki to answer their question. If however there are any problems with the new or old hosting services when DNS changes are made don't hesitate to open a Support Request. See this section for detailed instructions on how to do that properly.

If you're NOT using our name servers for your DNS then you'll need to update your name servers with the new IP address that was assigned to your domain.

1. Log into our CONTROL PANEL.
2. If you have more than one sub-account accessible, select the proper sub-account as the "Active Account". NOTE: If you have only one sub-account you can skip this step.
3. In the left-hand menu column select (DOMAINS > MANAGE DOMAINS).
4. Click on the "DNS" link for the domain/sub-domain in question. All of the current DNS information for that domain will be listed on that page.

Private keys are used to encode (amongst other things) >>> Certificate Signing Request (CSR) which in turn are used to generate >>> SSL certificates. The private key is something that should be kept very private (obviously). This is one of the ways that public key encryption is used to keep things secure. Only a SSL certificate that was generated from a CSR that was encoded with your private key can be installed on our server. If the SSL certificate and private keys don't match the installation will fail. Since all communications with our control panel is itself encrypted storing your public keys in our control panel is a perfectly safe and absolutely necessary place to keep them.

Costs and Requirements

In order to set up secure hosting a unique IP address is required for the domain/sub-domain.

Don't want to pay for unique IPs? [Vote up the suggestion] to leverage new Apache features that eliminate this need! Until that happens though...

Our costs are as follows;

• Monthly - $3.95
• Yearly - $47.40

When the unique IP address is added you have the option to select which billing option you'd like.

NOTE: For customers with our OLD "Strictly Business" and "Strictly Business for Non-Profits" hosting plans you're entitled to one free unique IP address per year. This free unique IP address will be applied to the FIRST unique IP address you set up. You can still purchase additional unique IP addresses and they will be charged at the regular rates. The renewals each year for that unique IP address will be free (as long as you maintain a "Strictly Business" hosting plan).

The unique IP address service will auto-renew at the end of its term (monthly or yearly) and the new charge applied to your account.

A FREE private key, Certificate Signing Request (CSR) and self-signed SSL certificate are automatically generated by our control panel and installed for you when you initially set up your secure hosting.

The FREE self-signed SSL certificate will provide excellent encryption. However, most web browsers will give a certificate warning message saying that the certificate is self-signed and might not be trustworthy. Potential customers will probably be put off by this warning and will not want to do business with your site if they get any certificate warnings/errors. If you intend to do business over the Internet, especially if you're going to take payments electronically then it is strongly recommended that you get/use a signed SSL certificate for your secure hosting.

Set Up

Before attempting to set up secure hosting please familiarize yourself with the information in the section Considerations and Caveats above! It's crucial that the initial set up is done correctly as there are some parameters that cannot be changed afterward (without removing and re-adding your secure hosting configuration).

To set up secure hosting on a domain/sub-domain;

1. Log into our CONTROL PANEL.
2. If you have more than one sub-account accessible, select the proper sub-account as the "Active Account". NOTE: If you have only one sub-account you can skip this step.
3. In the left-hand menu column select (DOMAINS > MANAGE DOMAINS).
4. Click on the wrench "Add" link (under the "Secure Hosting" section) for the domain/sub-domain in question.
5. Fill in the fields appropriately and choose the options you want.
6. Once that's done click on the "Add now!" button at the bottom of the form.

The system will use the information you provided to create a FREE private key, a Certificate Signing Request (CSR) and self-signed SSL certificate. They will be filled in the text fields on that form for you.

The FREE self-signed SSL certificate will provide excellent encryption. However, most web browsers will give a certificate warning message saying that the certificate is self-signed and might not be trustworthy. Potential customers will probably be put off by this warning and will not want to do business with your site if they get any certificate warnings/errors. If you intend to do business over the Internet, especially if you're going to take payments electronically then it is strongly recommended that you get/use a signed SSL certificate for your secure hosting.

Follow this link for step-by-step instructions with screen shots!

Purchasing a Signed SSL Certificate

There are several options if you'd like to replace the self-signed SSL certificate that we originally provide with a signed SSL certificate that will NOT give warning/error messages.

Option 1

"I want to purchase a signed SSL certificate from DreamHost SSL."

First, Set Up the secure hosting service itself. Our system will automatically create a private key, Certificate Signing Request and self-signed SSL certificate for you. See the Set Up section above for detailed instructions.

Step 1 Once you have the secure hosting service set up you can go back to (DOMAINS > MANAGE DOMAINS) in our control panel.

Step 2 Click on that "Certificates" link under the "Secure Hosting" section for the domain in question to enter the order/renewal interface.

Step 3 Check the radio button labeled "Use a professionally signed certificate" and fill in the fields as necessary. This information is used to generate the Certificate Signing Request that will be used to generate your new signed SSL certificate. The current private key installed in the control panel will be used to generate the Certificate Signing Request.

You can then select the term you'd like for your signed SSL certificate (1, 2 or 3 years are available).

Our costs is;

• 1-year $15.00

NOTE: For customers with our OLD "Strictly Business" and "Strictly Business for Non-Profits" hosting plans you're entitled to one free signed SSL certificate per year. This free SSL certificate will be applied to the FIRST signed SSL certificate you attempt to purchase (each year). You can still purchase additional signed SSL certificate and they will be charged at the regular rates.

Step 4 Once you've got the form filled out properly click on the "Save changes now!" button at the bottom of the page. Within an hour you should receive an Order Approval e-mail (from support@dreamhost.com) to the Domain Control Validation address you selected. NOTE: If the domain is currently registered with us, the Domain Control Validation e-mail step is not necessary. You can skip to Step 6 bypassing the approval step completely.

Step 5 Click on the link contained in the e-mail and copy/paste the confirmation code in order to confirm the order on that web page. You should receive a confirmation that the order has successfully been approved.

Step 6 Within about 2 hours of successfully approving the order your new signed SSL certificate (and intermediate certificate) should have been installed automatically in our control panel. If you go back and click on the "SSL Cert" icon you should see your certificate details listed which indicates the update was SUCCESSFUL. You should also receive another e-mail with your new SSL certificate information as a final confirmation. The confirmation e-mail will go to the WebIDs contact addresses though, not to the approval e-mail address. This way it shows up in your account support history (in the control panel under (SUPPORT > SUPPORT HISTORY)).

Step 7 Test access to the secure hosting. You may need to refresh your browser if you get any certificate warning messages. If everything is OK then you're done!

However, if you do run into any problems submit a Support Request via our control panel and ask for assistance. See this section for detailed instructions on how to do that properly.

When the term for your signed SSL certificate is getting close to expiring we'll send you renewal notices. You can then follow this same procedure to renew it again if you want. See the Renewals Section for more information.

Option 2

"I want to purchase a signed SSL certificate from some other Certificate Authority."

If you'd rather purchase a signed SSL certificate from some other Certificate Authority you can do that too. You'll need the Certificate Signing Request (CSR) that was generated by our control panel in order to purchase a signed SSL certificate. You can copy that from our control panel, here's how...

1. Go to menu option (DOMAINS > MANAGE DOMAINS)
2. Click on the "Certificates" link (under the "Secure Hosting" section) for the domain in question.
3. Click on the "Manual Configuration" radio button to expose the current certificate information. You'll see several large text fields on that page.
4. COPY (not cut) the text from the Certificate Signing Request field.
5. You'll need to paste that into the order form with whatever Certificate Authority you'd like to purchase your signed SSL certificate from.

IMPORTANT: When purchasing a signed SSL certificate you'll need to specify the server type. To use the SSL certificate on our servers you'll need to specify server type = "Apache w/MOD_SSL". Once you have successfully completed your purchased they will send you your signed SSL certificate. You can then replace the self-signed SSL certificate that we provided with this signed SSL certificate via the control panel. See the instructions in this section for details How To Update Your Certificate.

Option 3

"I already have my own signed SSL cert I purchased elsewhere."

If you already have your own private key, Certificate Signing Request (CSR) and signed SSL certificate (in PEM format) you could install them yourself during the initial secure hosting set up process. Just check the appropriate option on the sign up page and paste that information into the appropriate fields. If you already have your secure hosting set up already you can replace the information in our control panel.

IMPORTANT NOTE: If you already have a signed SSL certificate but do NOT have the corresponding private key then you will NOT be able to install it on our servers.

How To Update Your Certificate

Ignore the installation instructions provided by your Certificate Authority! We have simplified the procedure considerably!

You can update your SSL certificate yourself quickly and easily via our control panel.

1. Log into our CONTROL PANEL.
2. If you have more than one sub-account accessible, select the proper sub-account as the "Active Account". NOTE: If you have only one sub-account you can skip this step.
3. In the left-hand menu column select (DOMAINS > MANAGE DOMAINS).
4. Click on the "Certificates" link (under the "Secure Hosting" section) for the domain in question.
5. Click on the radio button labeled "Manual configuration".
6. Paste the new SSL certificate text into the "Certificate" box. Overwrite the exiting certificate text! NOTE: Be sure to include everything, including the "-----BEGIN CERTIFICATE-----" & "-----END CERTIFICATE-----" lines!
7. Use the vertical scroll bars to view the entire contents of the "Certificate" box. Make sure that you have only one certificate installed. If not re-paste the proper certificate and verify again.
8. If they also provided you with an intermediate certificate (or bundle file) you can install that yourself by pasting that into the "Intermediate Certificate" box (at the bottom of the page). Be sure to include everything, including the "-----BEGIN CERTIFICATE-----" & "-----END CERTIFICATE-----" lines, and there may be several of them so make sure to copy them ALL!
9. Click on the "Save changes now!" button to make the change. If there are no errors the new certificate should be pushed out to the live servers within 15 minutes or so.
10. Give the system about 15 minutes to push these changes to the live severs then you can test your site to see if everything is OK. You will need to refresh your web browser if you accessed the site before performing the update! If you don't refresh you'll probably pull up a cached version of the site before you updated the SSL certificate.

However, if you do run into any problems submit a Support Request via our control panel and ask for assistance. See this section for detailed instructions on how to do that properly.

NOTE: If you get the error message "key does not match cert" that means that the the SSL certificate you're trying to install does not match the private key that is currently installed. This typically means that the Certificate Signing Request that was used to purchase the SSL certificate was not generated with the private key that is in the panel. See the Troubleshooting section below for more information on how to resolve this problem.

NOTE: If you're not comfortable with updating the signed SSL certificate yourself (using the instructions provided above) you can submit a Support Request and ask us to install your SSL certificate for you. See this section for detailed instructions on how to do that properly. Just paste the text of the SSL certificate (and intermediate certificate if one was provided) from your Certificate Authority into your support request and we'll install it for you. There is no charge for this service!

Renewals

SSL certificates DO NOT auto-renew by default!

Certificate Authorities will send expiration/renewal reminders to the admin address about 30/60/90 days before the certificates expiration date. This is to let you know what you MUST take action to renew the SSL certificate.

NOTE: If you purchased a signed SSL certificate from us the billing will auto-renew at the end of its term and the new charge applied to your account. However, the SSL certificate itself however will NOT auto-renew!. See the instructions below for information on how to renew it.

NOTE: If you decide you don't want to renew the signed SSL certificate through us just submit a Support Request asking that we cancel that service and we will cancel it and refund the charge. See this section for detailed instructions on how to do that properly. When your SSL certificate expires web browsers will get a certificate error when the site is accessed and encryption will no longer function! Visitors to your secure hosting service will get a SSL certificate error in their browsers.

NOTE: If you find that GeoTrust continues to send you unnecessary renewal notifications just let us know and we'll contact them and have them disable this.

There are two ways to renew your signed SSL certificate;

Option 1

You can renew your signed SSL certificate by purchasing a renewal from us (DreamHost SSL).

Basically it's the same procedure as purchasing a new signed SSL certificate. See the Purchasing a Signed SSL Certificate Option 1 section above for information and instructions on how to process an order via our control panel. Since you already have your secure hosting set up you can proceed to "Step 1". The system should already recognize that your current SSL certificate is going to expire soon and will process a renewal order for you. Once the order has been approved it will install your renewed SSL certificate into our control panel automatically.

Option 2

Renewing your SSL cert with another Certificate Authority.

If you want to renew it with another Certificate Authority you just need to copy the Certificate Signing Request that's currently in our control panel and use it to initiate the renewal process with them. You can access your Certificate Signing Request in our control panel.

1. Log into our CONTROL PANEL.
2. If you have more than one sub-account accessible, select the proper sub-account as the "Active Account". NOTE: If you have only one sub-account you can skip this step.
3. In the left-hand menu column select (DOMAINS > MANAGE DOMAINS).
4. Click on the "Certificates" link (under the "Secure Hosting" section) for the domain in question.
5. Click on the radio button labeled "Manual configuration".
6. COPY all of the text from the Certificate Signing Request field. NOTE: Be sure to include everything, including the "-----BEGIN CERTIFICATE REQUEST-----" & "-----END CERTIFICATE REQUEST-----" lines!
7. Paste the Certificate Signing Request into your Certificate Authorities control panel to purchase a signed SSL certificate from them.
8. When prompted make sure to select server type = "Apache w/MOD_SSL".
9. Once your Certificate Authority has provided you with your signed SSL certificate you can install it yourself via the control panel. See the instructions in this section for details How To Update Your Certificate.

NOTE: If you find that there is no Certificate Signing Request available in the control panel for that domain please see this section Regenerating a CSR (below) for instructions on how to replace it.

Regenerating A CSR

There are two ways to regenerate a CSR (Certificate Signing Request);

Option 1

We can MANUALLY create a new CSR for you using the current private key that you have in the control panel for your secure hosting configuration. You'll just need to supply us with some information to complete the process. Submit a Support Request via our control panel and ask that we recreate a CSR for you with the information you provide. See this section for detailed instructions on how to do that properly.

Please provide us with the following information;

• Country Name (2 letter code):
• State or Province Name (full name - no abbreviations!):
• Locality Name (eg, city):
• Organization Name (eg, company name):
• Organizational Unit Name (eg, company section name):
• Common Name (eg, SECURE DOMAIN NAME - include "www" if necessary):
• Email Address:

Once you receive the new CSR file, you can install it via your Control Panel; click the "Certificates" link under the "Secure Hosting" section for the domain in question. Click on the radio button labeled "Manual configuration" and paste the CSR text in its entirety into the Certificate Signing Request field. Then click on the "Save changes now!" button at the bottom of the page.

You can then use this new CSR to order/renew a signed SSL certificate with another Certificate Authority if you like.

Option 2

Step 1 Go to menu option (DOMAINS > MANAGE DOMAINS) in our control panel.

Step 2 Click on that "Certificates" link under the "Secure Hosting" section for the domain in question to enter the order/renewal interface.

Step 3 Check the radio button labeled "Use a self-signed certificate" and fill in the fields as necessary. This information is used to generate the Certificate Signing Request that will be used to generate your new signed SSL certificate.

NOTE: Do NOT do this is you are already using a signed SSL certificate for this domain! If you do the system will create a NEW private key, self-signed SSL certificate and Certificate Signing Request for that domain. You will NOT be able to use the previous signed SSL certificate again for this domain as the new private key will not match the one that was originally used to generate your signed SSL certificate! Use the procedure outlined in "Option 1" (above) to regenerate the CSR for this domain.

Certificate Authorities

If you have chosen not to purchase a signed SSL certificate from us (DreamHost SSL) here is a (non-exhaustive) list of SSL Certificate Authorities;

• http://www.positivessl.com/
• http://www.enterprisessl.com/
• http://instantssl.com/
• http://geotrust.com/
• http://starfieldtech.com/
• http://godaddy.com/
• http://verisign.com/
• http://thawte.com/

I'd recommend checking with them to find the best price. Also note that the specifications for all SSL certificates are NOT the same. You have to compare features as well as prices to see what is the best value.

You can copy the Certificate Signing Request (CSR) from that field ion our control panel and use it to purchase your signed SSL certificate from another Certificate Authority if you have not chosen to purchase one from us. When prompted make sure to select server type = "Apache w/MOD_SSL" when purchasing your signed SSL certificate. Once your Certificate Authority has provided you with your signed SSL certificate you can install it yourself via the control panel. See the instructions in this section for details How To Update Your Certificate.

Troubleshooting

Contacting Support

If you do find a problem that you cannot resolve you can contact support for assistance. It's very important that when you submit a support request that you select the proper support "category" that reflects that you're having a problem with your "secure certificate".

Here's how to properly open a support ticket and select the correct category.

• Log into our control panel using the WebID that owns the domain that you are having a problem with.
• Select menu option (SUPPORT > CONTACT SUPPORT).
• Always read any notices that may be listed at the top of the page. There could be a system-wide problem that is already being addresses that is causing the problem. If that's the case then you don't need to contact support for this issue.
• (Step 1/5) If there is no system-wide problem that is causing this problem click on the "Website" option and click "Next".
• (Step 1/5) Select the domain that is having a problem (if the domain in question is listed twice the "secure hosting" will be the 2nd one listed) and click "Next".
• (Step 2/5) Review the information from the previous step, if all is correct click "Next".
• (Step 3/5) If no results in the next step provide an explanation for the problem click "Next".
• (Step 4/5) Click on the "Show All Categories" link and scroll down. Select the option (E-Commerce > Secure Certificate)" and click "Next".
• (Step 5/5) In the "Subject" field enter "SSL certificate" and a very brief description of the problem (ie: "domain mismatch error").
• In the "Message" field enter a more detailed description of the problem.
• Update the other fields as necessary and click the "Send Message Now" button (at the bottom of the page) to complete the process.

A technical support specialist will investigate the problem and get back to you within 24 hours (usually much less than that).

Here's how to withdraw a pending support request.

If you find that you've resolved the problem yourself, it resolved on its own or for whatever other reason you no longer require support for this issue, you can withdraw your support request from the system (provided a support specialist has not already begun to investigate the problem).

• Log into our control panel using the WebID that you used to submit the support request originally.
• Select menu option (SUPPORT > CONTACT SUPPORT).
• Under the "Open Tickets" section you'll see all of the current open support requests under your WebID.
• Click on the "Withdrawal Message" link (under the "Actions" section) for the support request in question.
• That's it, the message has been withdrawn from the system.

Notes

External Links