Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 777
  • Last Modified:

WHM, Cpanel and SSL (Basic Help)

I have a dedicated server running centos/whm with cpanel. I have 10 accounts on a shared ip and then 2 others on seperate dedicated ips (those 2 of which im not worried about).

The shared ip site accounts all have to deal with the "untrusted/unverified site" prompts in regards to their security certificate when accessing email, cpanel etc securely, which is whatever whm/cpanel does by default.

I would like to get a step by step guide as to what I need to do to install a security certificate that will be trusted for the accounts on a shared ip. Please, total noob to this aspect of server stuff so reply accordingly if you could.

I am totally new to ssl and my googling and cpanel forum trawling has only confused me more. Is it not possible to get a certificate that can work for a shared ip server?

I appreciate the assist!
0
aiwazz
Asked:
aiwazz
1 Solution
 
Dave HoweCommented:
In general terms, it isn't possible to get an SSL certificate that is *guaranteed* to work for more than one domain, when listening on the same IP and same port.

There are routes, but most of these aren't guaranteed to work, require multiple ports, require all the domains to share a common root, or some combination of the above.

Ok, from the top then.

first option is to give each SSL site on the shared IP its own port. So instead of using 443 (the default) you assign 444, 445 etc. The urls then look like

https://<name of host>:<nonstandard port>/

which is a pain to give someone, but of course all the http sites can still share port 80, so provided your https use model doesn't require that users are able to just type https://<name of host>/ and get straight there (but click a link or a bookmark) it works ok. You might also find that some web proxies will not permit connections to other than 443 (anti evasion measure) so some users are going to have issues.

Second option, wildcard certificates.
These are only usable if all the sites share the format https://<name of server>.<your domain>/ so that a certificate of the format *.<your domain> will match on the * for all your sites.

Third option, microsoft style multi-host certificates
These are called Subject Alternative Name (SAN) certificates, and are increasingly supported in modern browsers:
http://www.digicert.com/subject-alternative-name.htm

downside is that they aren't supported in ALL browsers, and in fact some will flag it as a security violation, ignore all but the primary (non SAN) name, or both.

Final option: get separate IPs on your hosting.
This is often cheaper than SAN or wildcard certificates (for which CAs charge a LOT) and some hosting centers bundle the first 5 IPs with the basic package (and are quite reasonable for further allocations) - Certainly the budget provider I use (10ukp/month) gives 5 IPs in the basic vhost package.
0
 
aiwazzAuthor Commented:
Very informative and full explanation, i really appreciate it and thank you for taking the time! I may try a wildcard but I see that d ip is the way to go. Cheers!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now