An SSL certificate is one of those things that can seem complicated to set up but is relatively simple and quick once you know the process.
The first step is to purchase your certificate. There a lot of vendors out there selling SSL certificates, often including your own hosting provider. Some of the sources we used in the past with great rates on certificates include https://www.ssls.com and https://cheapsslsecurity.com.
You’ll notice that there are several options for SSL certificates which may seem overwhelming at first, but I’ll break it down for you.
The encryption itself is the same across the various SSL certificates, typically 2048 or 4096-bit which will effectively encrypt data transfer on your website, the variance in certificates and price comes down to the trust level.
The 3 Certificate Levels
A DV (domain validated) certificate is a base-level certificate that is ideal for general websites where you don’t primarily deal with e-commerce or sensitive customer information and customers. The only validation requirements are to verify ownership of the domain name, so these are typically deployed within minutes of providing the verification and show a basic level of trust to your site visitors.
The next level up would be an OV (organization validated) certificate that is ideally suited for e-commerce websites and to demonstrate a higher level of trust to your users which they will see if they view the certificate details in their browser. To validate your certificate, you have to provide information about your business itself and proof of ownership which can take up to a few days as the verification will be done manually and typically through a phone call to your business number.
The highest level of SSL is an EV (Extended Validation) certificate that provides the highest level of trust and also adds the green bar with your company name next to your domain URL in the address bar. It’s a similar verification process as an OV certificate, but they will ask for more information about your business and may need to verify your physical location or bank account in some cases.
Generating a Certificate
After you purchase a certificate, the vendor will ask you to provide a CSR (certificate signing request) to receive your certificate. The CSR needs to be generated by you and there are a few options on how to go about it:
Through Your Hosting Provider
If your hosting provider uses a cPanel, which is the case more often than not, you just need to navigate to the security section and click on SSL/TLS.
From there, click on Generate, view, or delete SSL certificate signing requests.
On the following page, fill out the required fields (these will appear publically with your certificate). A passphrase is typically not necessary unless your vendor requests it. For the domain field, make sure you input your domain without the http:// or www. (for ex. lakedesign.co). Then click generate.
Once your certificate is generated, you will see an encoded and decoded CSR. Copy the entire code in the encoded certificate from —–BEGIN CERTIFICATE REQUEST—– to —– END CERTIFICATE REQUEST—-. This is your CSR that you will need to input at the SSL vendor when purchasing your certificate.
Then scroll down the page and you will see both an encoded and decode key. Copy the encoded RSA key somewhere where you can grab it later because you will need it when it comes time to install your certificate.
Store both your CSR and RSA keys somewhere where you can find them later because if you ever need to re-issue your certificate or migrate hosts, or you will need RSA private key to re-install the certificate. Also when it comes time to renew your certificate, you can use the same CSR instead of generating a new one.
Validating Your Domain
After you input your CSR at the vendor, the vendor will then ask you for your preferred method of validating the domain, which includes the following:
- Email Verification
- File Based Verification
- Domain Registrar Verification
Email verification is one of the simpler options if you have easy access to creating an email address at your domain, ex. email@example.com.
You will need to have or create one of the following emails (It has to be exactly one of these 5 emails):
If you are able to do so, then you can select email verification and you will receive an email at one of the 5 aforementioned addresses that you specify at the vendor, and then simply click the link within the email to verify ownership.
If you don’t have the option to create one of those emails without a large hassle or paying extra, then you can use one of the other verification methods.
This method is relatively simple and only requires you to have access to your web files either through the file manager in your cPanel or FTP so you can upload a file.
If you select File Verification as your preferred validation method, the vendor will provide you with a file to download and upload to your server which can be done following these steps:
In your cPanel, you can navigate to the Files section and click on File Manager. Inside you will see several folders, double-click on public_html to open it:
By default, hidden files/folders are hidden, so check your Settings on the top right of the page and check the box to enable Show Hidden Files if it’s unchecked:
After you enable hidden files, you may see a folder named .well-known appear, if it doesn’t you will have to create it by clicking on the add folder button on the top left:
Make sure you type it exactly as .well-known with the period and the lowercase letters.
Once the folder is created, or if it already exists, double-click the folder to enter it.
Inside you should see a folder called pki-validation. If it doesn’t exist, you will have to create it again using the same method.
Double-click to enter the pki-validation folder, and here is where you will need to upload the file the vendor provided you to download. To upload a file, just click the Upload button at the top of the page.
Drag your file or select it from your computer to upload it. Once the upload is complete, you are all set for validation.
This method is a bit more complicated. It involves adding a TXT record to your DNS records which can also be done through your hosting cPanel.
You need to scroll down to the Domain section and find Advanced DNS Editor. If you don’t have that option, then you will not be able to use this verification method. If you do, then you can click Add a TXT record and add the values provided by our vendor.
One Last Thing
The vendor will also typically ask you what kind of server will you be installing the certificate on, which unless you know the specific server, will often just be an Apache open-ssl (the default option they provide).
After that, you should be able to submit your request, and now you simply need to wait as your domain is validated through one of the methods you chose. If you chose a DV certificate, this will typically happen within 10 minutes.
When your certificate is ready, you will receive an email with your certificate and your vendor will typically have a download link available through their website.
Installing The Certificate
Once you receive your certificate, it will typically be in the encoded code format similar to your CSR and RSA private keys and found within the content of your email. There will also be a .zip file attached that you can download.
Often there will be a CA Bundle included as well.
To install your certificate, navigate to the security section of your cPanel where you had to generate your CSR, click on SSL/TLS, and this time click on Manage SSL sites.
On the following page, scroll down to where you will see the fields asking for your domain and the certificate:
Select your domain from the drop down and then paste your encoded certificate from the email into the CRT textbox field, and also your encoded RSA private key that you generated earlier.
You don’t need to worry about the certificate bundle field, as those are generally automatically detected, but you can input the encoded CA bundle there that you received in the email if you prefer.
Then simply click on install certificate and you are all set.
The Final Step – Switching Your Site to use HTTPS
After you install the certificate onto your domain, the final step is to switch your site over from using http:// to use https:// instead.
If your site is built on WordPress, this is very easy to do using the Really Simple SSL plugin. Just install and activate the plugin, navigate to the settings for the plugin, and follow the steps to activate SSL (which is essentially just one click).
And that’s it! Now your site will automatically redirect your users to the https:// URL and users will see the padlock showing that your site is secure.