Solved

Installing SSL certificate for dedicated server

Posted on 2011-09-15
26
696 Views
Last Modified: 2013-11-08
Hi,
I need to install a cheap SSL certificate on my dedicated server (cPanel/WHM).
Now how does it work?
I was looking at the RapidSSL and they have various offers. I know I can install it on one IP (one domain). But what if I need to have all my 8 IP addresses covered? One of those IP addresses belongs to the shared hosting (many accounts/ domains). What would the best choice be then? Probably that wildcard SSL option, right? But this probably covers just one IP with multiple domain (shared hosting), correct?
Thanks.
J.
0
Comment
Question by:janime
  • 8
  • 7
  • 4
  • +4
26 Comments
 
LVL 7

Expert Comment

by:CSorg
ID: 36542154
How would you be using those other IP addresses related to you domain name? I assume you would be using  different records for those. What services are you handing out to the public side?
0
 

Author Comment

by:janime
ID: 36545419
Hello CSorg, I have done some research and I am aware of what SSL is needed for. Ecommerce transactions, secure membership areas, secure FTP downloads, etc..
So let's take a look a these:
1. What kind of certificate do I need for securing the main IP address (shared hosting)? - please recommend a link if you know of any good ones
2. Just one dedicated IP address (one domain)
3. The WHOLE server (everything, all IPs)

Thank you.
J.
0
 
LVL 7

Expert Comment

by:CSorg
ID: 36548414
most of the time a wildcard is what you would want

a wildcard is about 10 times the price of a regular single domain name certificate, but in use, a wildcard is much easier.

i have used wildcard to protect all sort of services, like sFTP, secure email and RDP over HTTPS connections.

i could only advise a SSL provider which is based in the Netherlands (and it aint Diginotar ! :-) )
0
 

Author Comment

by:janime
ID: 36565051
Well I was hoping to receive a more" in depth" answer. To wrap it up I end up with a recommendation to use 1 Dutch based SSL. Is that it?
At least, please, could you elaborate on how do I go about applying the SSL on my email service?
The instance:
I have 1 domain that has a dedicated IP address. In the WHM/cPanel I can see a all the services attached to that domain - email, ftp , db, etc..
Now are you saying that if I can get this wildcard certificate somehow installed will that protect my email from getting into spam/bulk folders? What did you mean by a "secure email"?
Thanks..
J.
0
 
LVL 11

Expert Comment

by:Marc Dekeyser
ID: 36572147
How rto apply the certificate on your email service depends on your server version :) To avoid your emails from getting in the spam/junk folder you need more then just a certificate! You need to think about security, SPF, avoiding possible blacklisting... It's a whole plan you need to create for just that one bit of the infrastructure.
0
 
LVL 11

Assisted Solution

by:maeltar
maeltar earned 200 total points
ID: 36572388
Here is a few good tutorials on installing SSL on Cpanel ..

http://www.instantssl.com/ssl-certificate-support/cert_installation/ssl-certificate-cpanel.html

http://www.geocerts.com/install/cpanel_11

I have used Instantssl http://www.instantssl.com/ many times in the past and found them excellent, their support is also for the highest standard. Should you have any issues installing your certs they will help out from start to finish.
(No I do not work for them)


As for securing other services with SSL it IS package depandant, and unless we know exactly what services, Versions etc you are wanting secured it would be difficult to aid.

As Geminon correct stated, SSL will NOT prevent Spam etc. SSL only provides a verified encrypton  method and needs to be applied to the services as required.
0
 
LVL 7

Expert Comment

by:CSorg
ID: 36572730
Those SSL Certs offered are way to expensive in my opinion. Have a look at RapidSSL

http://www.rapidssl.com/buy-ssl/wildcard-ssl-certificate/index.html
0
 
LVL 11

Expert Comment

by:maeltar
ID: 36572793
For teh widlcard yes they appear to be more expensive, however, janime quoted :

2. Just one dedicated IP address (one domain)

So only needs which is significantly cheaper, (but around same cost on both sites)

Notwithstanding, I do not believe cost is the issue here, rather the information or lack of it is the issue.
0
 
LVL 7

Expert Comment

by:CSorg
ID: 36572887
It would be helpfull if TS would share some information on what exactly needs to be secured with a SSL cert, also what/how are those services being provided to the outside world
0
 
LVL 39

Assisted Solution

by:noci
noci earned 100 total points
ID: 36573220
What happens is this:

You want to access some site:

say: example.com
you get as a response the IP address say:192.168.1.1

SO you connect to (lest assume default https) port 443 on server 192.168.1.1, that server gives its certificate
which is named (Subject./Altsubject in certificate) example.com, your browser compares the hostname you typed to the one in the certificate and complains if it mismatches or closes the lock on the browser if it matches....

Now the server can only answer with ONE certificate, and there is no name supplied before it needs to produce it's certificate.
So if you model your sites with names like:

site1.example.com
site2.example.com
etc.

you are clearly in trouble with the example.com certificate.
A wildcard certificate (*.example.com) can help to allow those sites.
As browsers will allow for a match of (site1.example.com -> *.example.com).
obviously example.com doe not match *.example.com so then you need to move the example.com to something else.

If you have many names on the shared hosting server that have no clear pattern you have a challenge.
 The certificate is bound to an IPaddres/TCPport pare
1) If the address is fixed but you can have multiple ports then you can use different ports for different certificates.
2) if the ports are fixed, you need to vary IP addresses (so multiple addresses are needed, those can be aliases to
the same system if needed)
3) if both are fixed only one certificate can be used.
0
 

Author Comment

by:janime
ID: 36578268
Hello all,
we have a Linux Centos server with WHM/CPanel.
Of course we have around 10 dedicated IP addresses but for now I just need to understand the logic.
So let's narrow it down to 1 IP address (one domain).

For this particular domain with a dedicated IP::
1. after a payment is processed  (external 3rd party provider - let's say Clickbank)  we need to have our visitor to come back to our secure "thank you" page.
2. how to secure the internal email service for this particular domain /IP address?
I know there are many strings attached - but it is our own dedicated server where we host our own web sites (no other clients or shared web hosting environment).
We definitively do not use it for spam. All I need to know is how to improve our chances to have our emails securely delivered (and avoiding that junk/bulk email folder). I thought the SSL would help us here..
Thank you.
J.
0
 
LVL 11

Expert Comment

by:maeltar
ID: 36578534
It's not the OS that is the issue it is the installed mail server (Sendmail, Postfix, Exim, qmail etc,), POP3 servers (Dovecot etc..), there are quiet a few possibilities that can provide the service, and without that advice cannot be offered.

I think the default for Cpanel is Exim in which case :

http://www.theperfectarts.com/2009/10/how-to-install-ssl-on-default-serviceshttp-exim-imap-pop3-cpanelwhm/
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:janime
ID: 36578753
Ok, I checked with my web host support and it is Exim and Courier.
Does that help?
Thanks.
J.
0
 
LVL 11

Expert Comment

by:maeltar
ID: 36578798
Thats excellent, just follow the instructions in the link after purchasing the SSL cert from the provider you decide upon.

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/InstallCert
0
 
LVL 39

Expert Comment

by:noci
ID: 36578844
Maybe you need to look into S/MIME. Mail messages are not encrypted. You are seeking to just secure the traffic for the FIRST hop (that's the one you control), his ISP at least gets a readable message text.

So either GPG/PGP or S/MIME encrypted mail will be readable for the receiver only.
S/MIME uses certificates tied to the mail addresses, GPG/PGP use a known signature based approach.

For S/MIME that client also needs a personal certificat.
0
 
LVL 22

Assisted Solution

by:chakko
chakko earned 50 total points
ID: 36580158

When you get an SSL certificate, normally you don't deal with any IP addresses.  You need to supply the correct host.domain.name (or names if more than 1) for the SSL.  You can move an SSL to a different server with different IP address (if you want to or need to), so the SSL certificate isn't really tied to any IP address.  (note:  you can specify an IP address in the SSL certificate, but I don't think this applies to your situation).


For helping to make sure that your emails don't get stuck at a spam filter or incorrectly marked/tagged as spam, then an SSL certificate for your email is not going to help with this.  When you say you want your email securely delivered, what do you mean?  
Do you want a high Percentage of successful deliveries? (i.e. you want to reduced the chance of your email being flagged as SPAM?).  
If that is the case then I would recommend trying to use an SMTP relay service such as AuthSMTP (or is it SMTPAuth?) for mail delivery.  I am guessing that your hosted server has had some problems with being flagged as a potential SPAM source in the past.  So, using a Relay service may improve your delivery success since those companies (my guess) actively work to keep their systems off of any SPAM blacklists.
0
 

Author Comment

by:janime
ID: 36591157
Ok, thank you for the answers. So if I want to just install an SSL for email I must tie it up to the server name - host.xyzserver.com? Correct? Or is it still that specific domain/account?
I understand now that there's more behind the "email delivery" than I thought.
J.
0
 
LVL 11

Expert Comment

by:maeltar
ID: 36591311
A standard SSL server is for one domain only, including subdomain, so yes, it would be tied to the subdomain.

Quote from Rapid SSL :

You can either spend a lot of money and time purchasing and managing individual certificates for all of your subdomains or you can save hundreds or even thousands of dollars by securing your multiple subdomains under one single Wildcard SSL certificate by Comodo. Save yourself the time of managing multiple SSL certificates and streamline the process with a Comodo Wildcard SSL that will secure all of your subdomains under a single manageable SSL certificate.

For example: If you own www.yourdomain.com and have seven subdomains such as secure.yourdomain.com, mail.yourdomain.com, etc., it could cost around $1,700 per year to install multiple SSL certificates to cover all your subdomains. Compare that to a single Comodo Wildcard SSL certificate securing your top level domain and multiple subdomains for as little as £522.47 per year.


0
 

Author Comment

by:janime
ID: 36591424
Ok - again, you mean the main server subdomain host.xyzserver.com, right?
Thanks.
J.
0
 
LVL 11

Assisted Solution

by:maeltar
maeltar earned 200 total points
ID: 36591430
The subdomain is :

xyz

Domain is

domain.com

so a subdomain of domain.com is

xyz.domain.com

So to secure say

smtp.domain.com requires a unique cert
pop.domain.com requires a unique cert
www.domain.com also ......
0
 
LVL 11

Expert Comment

by:maeltar
ID: 36591434
Sorry missread your post

host.xzydomain.com

in that case host is the subdomain
0
 
LVL 13

Accepted Solution

by:
LinuxGuru earned 150 total points
ID: 36592088
Hi,

Just follow the steps as listed below to avoid your emails from spam/junk.

1. Use a dedicated IP address. (Make sure that the dedicated ip address is used for your email. By default WHM/cPanel servers use servers main shared ip for email. You have to enable the option in WHM or set the mail ip in /etc/mailips file).
2. Also you need to set rdns(reverse dns) for that ip. ie you need to point the mail ip to the server hostname of the server( It may look like host.domainname.com. Please note that you need to contact your hosting provider to setup rdns).
3. After that you need to setup SPF records for the domain name. Check the following urls for details regarding spf.

http://www.openspf.org/
http://old.openspf.org/dns.html

If you are not sure, please contact your hosting provider and they will setup this for you.
0
 

Author Comment

by:janime
ID: 36596932
Thank you guys for your answers. It helped!. J.
0
 

Author Closing Comment

by:janime
ID: 36596939
Thank you for the insight!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now