Why do I need an SSL certificate?
With standard web traffic (HTTP) all the traffic between the server and browser is unencrypted. This means that it is feasible for people between the two to view the data. For most webpages this is fine, but if you are transferring sensitive data or you need to enter a username and password, you could be at risk.
By enabling HTTPS on your webserver, all data, including username and passwords, will be encrypted. However, encrypting the data is only half of the job as it would still be possible for someone to set up a spoof web-site masquerading as the real server that intercepts the traffic, decrypts it and then sends it on (known as a man in the middle attack). To stop this happening, the web-browser will check the validity of the server it is connecting to by looking at the certificate presented by the server and seeing if it has been issued by a known authority (a list of which are built into each web browser). If the certificate is not 'official', the visitor will get an error in their browser warning them about the site being insecure and it will be inconvenient for them to proceed.
Therefore, it is strongly recommended that an SSL certificate is purchased (we are a Thawte partner) and installed on the webserver at the same time as enabling HTTPS.
NetManager from Precedence allows you to hide other internal webservers behind its firewall and webserver meaning that, in many cases, only one SSL certificate is needed for all web services. This is known as reverse proxying.
Ordering (REQUIRED READING)
Our range of Thawte SSL certificates and their prices can be found in the Internet services section of our website.
For all requests, you will need to ensure that you can receive mail for one of the following email addresses (so that you can read the approval email):
(where myschool.lea.sch.uk is the domain part of the subdomain being secured. So for instance, if the SSL certificate is to be for remote.myschoolname.org, then the email address must be one of the above @myschoolname.org). Please let us know which of the above addresses are usable, as without it we cannot order the SSL certificate. Note, root@, ssladmin@ and sslwebmaster@ are no longer acceptable email addresses.
The above should be sufficient for domain-authenticated certificates, but for some types of SSL certificates, a higher level of authentication may be required.
If the SSL certificate is for a NetManager, we will handle configuring the server and generating the relevant requests. We will need the full domain to be secured to configure your server for you. Otherwise, you will need to provide a Certificate Signing Request (CSR) taking note of the following:
- The key must be at least 2048 bit
- The organisation name should match the registered owner of the domain. You can check the registered owner with our Whois service
- The country must be GB not UK and this must be in capitals
- The CSR should correctly match the complete fully-qualified domain name (FQDN) being secured (i.e. remote.myschool.lea.sch.uk not just myschool.lea.sch.uk).
- A wildcard certificate should be for *.myschool.lea.sch.uk (literally beginning with *.)
- Only send us the CSR, do NOT send us your private key (in fact, please ensure this is protected and does not leave your site. If you do send us the key accidentally, please destroy it and generate a new key and CSR).
- A certificate is, unless otherwise specified, only suitable for use on one server. To install the certificate on multiple servers, you need to purchase extra licences.
Please also tell us whether the destination server is Microsoft IIS or not.
You may renew your certificates in advance. The expiry date of the new certificate will be extended to take into account any time you have left on your previous certificate, i.e. if you renew early you will not lose any time.
N.B. On June 27th, 2010 Thawte upgraded its root hierachy to 2048bit RSA Keys to enhance the security of all SSL products. As a part of this upgrade, all newly issued certificates now require the installation of the new Primary and Secondary Intermediate CAs along with your SSL certificate. These new Intermediate CAs MUST be installed in order for your SSL certificate to be fully trusted in all browsers.
If you are using a NetManager, we can install the certificate (and any required intermediate CAs) for you. For reference, here is the procedure for installation.
For all other server types, please follow the relevant instructions on the Thawte website. Pay particular attention to the instructions on obtaining the correct intermediate CAs for your certificate type (each cert type has different intermediate CAs). For SSL123 certs (our most common single-domain certs), the specific instructions are here.