SSL generated from cPanel

iworms · #1 03-07-2006, 02:49 AM

I just got a swamp account, and have a few questions about SSL. I want SSL for my sites not so much for identity as for encryption, so I don't really need expensive, CA-issued certificates. I would like to use a self generated certificate such that people can type https://www.mydomain.com, get one or more warning(s) and click "Accept." To me, this is better than https://gatorXX.hostgator.com/~mydomain.

Now cPanel can generate certificates and these are (I believe) self signed. My questions are:

1. Is HostGator willing to install my self-signed certificates?
2. Do I still need dedicated IP? (Browser warning is no problem)
3. The installation fee ($20?) is unavoidable since I can't install it myself, right?
4. Can this be done to addon domains also? i.e. https://www.addon.com instead of https://gatorXX.hostgator.com/~mydomain/addon.

Thank you! Hopefully you don't find these questions stupid. If you do, that's because I'm new to using hosting service, not to mention SSL.

Serra · #2 03-07-2006, 02:11 PM

You can pay the $20.00 to have HG install it (Which I think is now down to $10.00). Or you can pay $75.00 for HG to install and purchase one for you.

The self signed certificate is a big pain, I'd buy a trusted certificate and use that, they are fairly cheap and have it installed for $10.00.

Quote:

4. Can this be done to addon domains also? i.e. https://www.addon.com instead of https://gatorXX.hostgator.com/~mydomain/addon.

No. One certificate per cPanel, so if you are a reseller, you can have as many as you wish, with a single cPanel account like the swamp, you may only have one SSL, but it can be on an addon if you wish.

iworms · #3 03-07-2006, 05:23 PM

Thank you so much Serra. After hours of learning (i.e. googling) I now understand the whole SSL business better. Here I include some explanations for those clueless who are searching the forum (like I was last night):

1. One SSL enabled site per IP: this is nonnegotiable. It is how SSL works. This is what www.ourshop.com/resources/ssl.html says:

Quote:

Though your SSL certificate is bound to your fully qualified domain name (encrypted into the certificate request and registerd when you purchase your certificate) web servers link the certificate to the IP address. The result is that if you attempt to have more than one SSL certificate associated with the same IP address (in the case of virtual hosting) you may get undesired results.

2. The default port for SSL is 443. A compromised way to have more certificates on one IP is to point each additional site to a different port. But then these additional sites will only work if you type https://www.additional.com:xxx where each site has a unique port number xxx. I imagine this is nontrivial to setup, so I'm not sure if HG will do it (though I didn't ask).

3. With the knowledge from above, shared SSL means that everyone hosted at the same IP address will use the server's certificate. Furthermore, because SSL happens before HTTP, https://username.com is not gonna work; you must use https://ServerNameOrIP/~username.

4. More about shared SSL: I guess because everyone hosted on a server can use the shared SSL, this certificate is unlikely CA-issued --- no way to verify identity. So the browser will warn that the certificate is not trusted.

5. In order to use your own SSL ceretificate, be it self signed or trusted (CA signed), the site must have its own IP. In other words you need Dedicated IP ($2 /month).

6. Just like the shared SSL, your Dedicated IP will only make https://primarydomain.com possible. If you have a wildcard certificate, then https://anything.primarydomain.com will also work. Addon domains, however, will not look so pretty. Since addon domains are hosted under the primary domain as folders, subsequently they all have the same IP, https://addon.com won't work. However https://primarydomain.com/addon is fine since it is referencing to the primary domain.

Please feel free to point out errors or make suggestions.

Serra · #4 03-07-2006, 07:38 PM

Great info!

Thanks.

Parafly9 · #5 03-08-2006, 08:49 AM

Wait -

One SSL per IP. I have a reseller account I just got into. Don't all my accounts fall under the same IP? Does this mean only one of my clients can have a dedicated SSL cert under their specific domain name? I am confused...

#6 03-08-2006, 09:01 AM

Quote:

Originally Posted by Parafly9

Wait -

One SSL per IP. I have a reseller account I just got into. Don't all my accounts fall under the same IP? Does this mean only one of my clients can have a dedicated SSL cert under their specific domain name? I am confused...

Yes and no, all of your accounts can have there own IP addresses. And to even have an SSL it has to be a dedicated IP. Which is 2 dollars a month.

saiff · #7 01-10-2007, 01:15 PM

It appears then that HG provides a wildcard SSL cert. Is this correct.
We have a semi-dedicated account with HG are desparately trying to make this work. Here is our situation. Any help is very much appreciated.

We have the primary domain of www.primary.com and HG installed the SSL cert so https://www.primary.com is currently valid

We have a couple add-on domains www.addon1.com and www.addon2.com

When somebody visits www.addon1.com and enters their credit card to purchase something, we want to just show the www.addon1.com domain name and NOT https://addon1.primary.com/anyextension if humanly possible. Same thing with addon2

From talking to a couple places and doing some google searching, it appears this may not be possible but there is not too much info available for this.
Is there any way to mask the url so that only the addon names show in the url for the secure pages. Alternatively, can we only display the ip address of the primary domain such as https://ipaddress/addon1 (or some variation of that) or any other solution using mod rewrite or something else to make this work.
We cannot move to a reseller plan (as I realize this will provide a solution for SSL) because we need all the addon domains to share the same files so they all have to be on the same cpanel.

All help is greatly appreciated. Thanks in advance.

slapshotw · #8 01-10-2007, 06:25 PM

The domain in the address bar has to exactly match the domain on the certificate-- there is no way around this. If they don't match, the user will have a secure connection, but they will have a pop-up warning.