SSL Certificates

What Is An SSL Certificate?

An SSL certificate is a digital encryption key that performs two essential functions for online communications:

1. It ensures that the data being exchanged by the client computer and the server is encrypted so that only the sending and receiving computers can read that information that is exchanged.
2. An SSL certificate ensures that the website that the client is connected to is who they say they are.

An SSL certificate is what allows a normal web address to be used as a secure web address e.g.

From this http://www.memset.com   to->   HTTPS://www.memset.com

SSL certificates are therefore an essential part of online transactions where secrecy is necessary.

What Host Name Should I Use?

A host name is the domain name plus a beginning that is entered into the address bar of a browser to get to a website. The domain name without any beginning can also be a hostname. All of the following are examples of valid hostnames:

example.com
www.example.com
shop.example.com
mail.example.com
ftp.example.com
secure.example.com

Hostnames are important because SSL certificates are very closely tied to the hostname that they are created for. Exactly how they are associated is explained in the next section

When choosing which hostname you want for the certificate you should consider which part of the site needs to be secure e.g. the shopping section, all of the site, the online mail panel etc, and what is the address that is used to access that section.

For most sites that run on a single server, all of the sites are accessed via the classic www + domain. Indeed this is how all of the client-facing Memset sites are accessed. However, for some larger sites, the shop or email section is moved to a different server which is accessed via a different hostname to the rest of the site. If you have any doubts regarding what hostname you need please do not hesitate to contact the support team at ​support@memset.com.

Standard Vs Wildcard Certificates

Memset offers two types of SSL certificates: standard and wildcard. The difference between them is that number of hostnames that they will work for. They both offer exactly the same high level of security.

Standard Certificates

A standard certificate that is ordered for the domain name without any prefix such as:

example.com

Will be valid for the domain name and also www + domain i.e.:

example.com
www.example.com

However, if a standard certificate is ordered for any other host name such as:

mail.example.com

Then the certificate will only be valid for that hostname and no other. It is, therefore, important to get the hostname correct at the time of ordering as changing the hostnames is difficult and time consuming once the certificate has been issued.

Wildcard Certificates

A single wildcard certificate work for a much larger number of hostnames. They will work for the hostname supplied and one prefix before it. However, this prefix can be any valid prefix. For example, if a wildcard certificate is ordered for the following hostname:

*.example.com

All of the following hostnames will work:

shop.example.com
mail.example.com
asdfasdf.example.com
AnythingYouWantHere.example.com

as will anything else you want to put before the domain will all work. However, please note that a wildcard certificate will only support a first level subdomain i.e. a single word before the domain, and no more. The following is an example of an unsupported hostname:

level1.level2.example.com

Wildcard certificates are a cost effective option for large organisations that have many subdomains that all need securing with an SSL certificate.

Ordering Process

The creation of an SSL certificate requires information about the individual or organisation that the certificate will be assigned to. Also, an additional piece of documentary proof is also required to be submitted in order to prove the order is legitimate. This information and the document is how the SSL certificate guarantees that the site belongs to who they claim to be.

Shortly after placing the order for the SSL certificate on the Memset website an email will be sent that requests both information to be encoded into the certificate and additional information for the order process.

Information To Be Placed In The Certificate

• Contact Name
• Contact Email Address (eg. ​someone@yourcompany.com)
• Full Postal address (Street, Town/City, County, Postcode, Country)
• Hostname (eg. www.yourcompany.com)

If the certificate is for a company then this information should be the same as is listed on the company certificate of incorporation. In the case of individuals, the current address is sufficient.

Information For The Registration Process

• Password
• Verification Email Address. This will be one of the following for a certificate under example.com:
  • ​admin@example.com
  • ​administrator@example.com
  • ​hostmaster@example.com
  • ​postmaster@example.com
  • ​webmaster@example.com

The verification email address will be used for an email sent directly from our SSL provider; Comodo, to an email address at the domain that the SSL certificate is being issued for. This is a further security measure used to ensure that the SSL certificate order is authorised by someone at the organisation.

Once the above information is received and the verification email answered affirmatively the certificate will be issued to Memset. The certificate will then appear in your Memset account and will be downloadable from there.

Please note, an SSL certificate order takes a few working days to complete as there are several manual steps involved in the order process.

Installation

Included in the registration fee is installation. All you need to do is to respond to the email from Memset telling you that the certificate is ready requesting that it be installed and a Memset engineer will get that done for you and confirm when the certificate is installed and working.

Renewal

Memset will automatically send out a notification a few weeks before the expiry of the certificate in order to ensure the new certificate is registered and installed before the old one expires.

Unlocking your SSL certificate's private key

When the SSL certificate registration process has completed the SSL certificate, private key and CSR are available for download from your Memset account. However, the private key is encrypted and password protected. This means that every time that a web server such as Apache or Nginx (re)starts a password has to be entered on the command line before your site can be served. This can be quite inconvenient as any unplanned restart of the server or the web server will take the website offline. For this reason, private SSL keys are usually stored on the server unlocked.

if you wish to install an unlocked SSL private key then follow the steps below to obtain an unlocked version.

Save a local copy of the locked private key

A copy of the locked private key must be saved as a simple text file on the computer that you intend to unlock the key on. This could be your desktop or the server that serves the site.

The private key is displayed in your Memset account from where it can be copy and pasted. Log into your Memset account and browse the Overview page for the SSL certificate. This can be found at:

Account Overview -> Services -> SSL Certificate

That page will show you a list of all the SSL certificates in your account. Click on the View link for the certificate you wish to obtain the private key for.

This page will show you the three parts to your SSL certificate:

1. Encrypted Private Key
2. Certificate
3. Certificate Signing Request

The private key is the first show. Copy everything between and including the:

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

tags. Alternatively, click on the Copy to clipboard button, shown here:

If you are using Windows you must use Notepad. This is because any formatting or modifications to the information will render the key useless. If you are using linux then use either a command line text editor a desktop text editor such as gedit or kate for the same reason.

Obtain the private key's password

The private key is locked with a password which is set by Memset during the registration process. In order to obtain the password, you must first click on the Send password link button shown under the key on the View page for the SSL certificate:

Clicking on this will email you a link to a private page under you Memset account. This page will display the password. You should copy the password into your password manager for safe keeping.

When you have a local copy of the locked private key and the password jump to the section below that is appropriate for your computer's operating system.

Linux

The instructions in this section are the same for either a linux server or a linux laptop. If you are going to use the SSL certificate on a linux server then the following command will work remotely on the command line via SSH.

The command that is used to unlock the key openssl and takes the following arguments to unlock the key:

openssl rsa -in encrypted.key -out plain.key

This is the same command but with www.example.com.locked.key and www.example.com.key as the locked and unlocked keys respectively:

openssl rsa -in www.example.com.locked.key -out www.example.com.key

This command will create the new key file and place the unlocked key into it. This unlocked private SSL key can now be used with a web server.

If you have unlocked the key on your laptop or desktop it is a good idea to store it in your password manager and delete the unlocked key file.

Windows

OpenSSL is required to unlock the private key but it is not installed by default on Windows systems. A Windows OpenSSL installer can be found here:

​http://gnuwin32.sourceforge.net/packages/openssl.htm

Select the Setup package on the Complete package, except sources line:

Download the package and run the installer.

This will create a new directory under C:\Program Files on 32-bit Windows or C:/Program Files (x86) on 64-bit windows.

In order to make life easier, it is a good idea to create a temporary working directory at C:/tmp/ and copy the encrypted key file into it using Windows explorer.

The OpenSSL program that is used to unlock the key can only be used from the command prompt. A command prompt can be opened by pressing the windows key + r. In the dialogue box that appears type:

cmd.exe

as shown here:

and click OK.

This will open a Windows command prompt. You now must navigate to the directory where OpenSSL was installed to. One of the following commands will do this:

Windows 32-bit
cd C:/Program Files/GnuWin32/bin

Windows 64-bit
cd C:/Program Files (x86)/GnuWin32/bin

If you are unsure where OpenSSL has been installed use the Windows Explorer (Windows key + e) to check both locations.

Unlocking the key is achieved with the following command. It must be run from the OpenSSL install directory and with full paths to both the locked key file and the output, unlocked file:

openssl rsa -in locked.key -out unlocked.key

This is what the command looks like if the locked key file has been saved in C:/tmp/ and the unlocked key to also be saved to C:/tmp/

openssl rsa -in C:/tmp/www.example.com.locked.key -out C:/tmp/www.example.com.key

When the command is run you will be prompted for the key’s password. You should copy and paste it into the command prompt window by right-clicking on the title bar, moving the cursor down to Edit and selecting past:

The unlocked key will be stored into the file listed after the -out part of the command. This should be stored somewhere secure such as your password manager and then deleted from your computer.