WHM, Cpanel and SSL (Basic Help)

I have a dedicated server running centos/whm with cpanel. I have 10 accounts on a shared ip and then 2 others on seperate dedicated ips (those 2 of which im not worried about).

The shared ip site accounts all have to deal with the "untrusted/unverified site" prompts in regards to their security certificate when accessing email, cpanel etc securely, which is whatever whm/cpanel does by default.

I would like to get a step by step guide as to what I need to do to install a security certificate that will be trusted for the accounts on a shared ip. Please, total noob to this aspect of server stuff so reply accordingly if you could.

I am totally new to ssl and my googling and cpanel forum trawling has only confused me more. Is it not possible to get a certificate that can work for a shared ip server?

I appreciate the assist!
aiwazzAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
In general terms, it isn't possible to get an SSL certificate that is *guaranteed* to work for more than one domain, when listening on the same IP and same port.

There are routes, but most of these aren't guaranteed to work, require multiple ports, require all the domains to share a common root, or some combination of the above.

Ok, from the top then.

first option is to give each SSL site on the shared IP its own port. So instead of using 443 (the default) you assign 444, 445 etc. The urls then look like

https://<name of host>:<nonstandard port>/

which is a pain to give someone, but of course all the http sites can still share port 80, so provided your https use model doesn't require that users are able to just type https://<name of host>/ and get straight there (but click a link or a bookmark) it works ok. You might also find that some web proxies will not permit connections to other than 443 (anti evasion measure) so some users are going to have issues.

Second option, wildcard certificates.
These are only usable if all the sites share the format https://<name of server>.<your domain>/ so that a certificate of the format *.<your domain> will match on the * for all your sites.

Third option, microsoft style multi-host certificates
These are called Subject Alternative Name (SAN) certificates, and are increasingly supported in modern browsers:
http://www.digicert.com/subject-alternative-name.htm

downside is that they aren't supported in ALL browsers, and in fact some will flag it as a security violation, ignore all but the primary (non SAN) name, or both.

Final option: get separate IPs on your hosting.
This is often cheaper than SAN or wildcard certificates (for which CAs charge a LOT) and some hosting centers bundle the first 5 IPs with the basic package (and are quite reasonable for further allocations) - Certainly the budget provider I use (10ukp/month) gives 5 IPs in the basic vhost package.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aiwazzAuthor Commented:
Very informative and full explanation, i really appreciate it and thank you for taking the time! I may try a wildcard but I see that d ip is the way to go. Cheers!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.