Why do I need an SSL certificate?
With standard web traffic (HTTP) all the traffic between the server and browser is unencrypted. This means that it is feasible for people between the two to view the data. For most webpages this is fine, but if you are transferring sensitive data or you need to enter a username and password, you could be at risk.
By enabling HTTPS on your webserver, all data, including username and passwords, will be encrypted. However, encrypting the data is only half of the job as it would still be possible for someone to set up a spoof web-site masquerading as the real server that intercepts the traffic, decrypts it and then sends it on (known as a man in the middle attack). To stop this happening, the web-browser will check the validity of the server it is connecting to by looking at the certificate presented by the server and seeing if it has been issued by a known authority (a list of which are built into each web browser). If the certificate is not 'official', the visitor will get an error in their browser warning them about the site being insecure and it will be inconvenient for them to proceed.
Therefore, it is strongly recommended that an SSL certificate is purchased (we are a Digicert partner) and installed on the webserver at the same time as enabling HTTPS.
NetManager from Precedence allows you to hide other internal webservers behind its firewall and webserver meaning that, in many cases, only one SSL certificate is needed for all web services. This is known as reverse proxying.
Our range of Digicert, RapidSSL and GeoTrust SSL certificates along with their prices can be found in the Internet services section of our website.
For all requests, you will need to ensure that you can receive mail for one of the following email addresses (so that you can read the approval email):
yourdomain.com is the domain part of the subdomain being secured. So for instance, if the SSL certificate is to be for remote.myschoolname.org, then the email address must be one of the above @myschoolname.org). Please let us know which of the above addresses are usable, as without it we cannot order the SSL certificate. Note, root@, ssladmin@ and sslwebmaster@ are no longer acceptable email addresses.
The above should be sufficient for domain-authenticated certificates, but for some types of SSL certificates, a higher level of authentication may be required.
In addition, to order the cert, we will need:
- Postal address
- Contact name
- Contact email
- Phone number
The named person will get email confirmations of orders and renewals.
If the SSL certificate is for a NetManager, we will handle configuring the server and generating the relevant requests. We will need the full domain to be secured to configure your server for you. Otherwise, you will need to provide a Certificate Signing Request (CSR) taking note of the following:
- The key must be at least 2048 bit
- If possible, the organisation name should match the registered owner of the domain (this may also be referred to as the Registrant Organization). Because of the 2018 GDPR regulations, this data may no longer be retrievable (you can view the public details with our Whois service).
- The country must be GB not UK and this must be in capitals
- The CSR should correctly match the complete fully-qualified domain name (FQDN) being secured (i.e. remote.myschool.lea.sch.uk not just myschool.lea.sch.uk).
- A wildcard certificate should be for *.myschool.lea.sch.uk (literally beginning with *.)
- Only send us the CSR, do NOT send us your private key (in fact, please ensure this is protected and does not leave your site. If you do send us the key accidentally, please destroy it and generate a new key and CSR).
You may renew your certificates in advance. The expiry date of the new certificate will be extended to take into account any time you have left on your previous certificate, i.e. if you renew early you will not lose any time.
N.B. Most certificate authorities require you to install intermediate certificates provided by the CA alongside your certificate. If you do not do this, the certificate will appear to work, but may still give errors in browsers. You should always check check your certificate installation
If you are using a NetManager, we can install the certificate (and any required intermediate CA certs) for you. For reference, here is the procedure for installation.
For all other server types, please follow the relevant instructions on the Digicert website. Pay particular attention to the instructions on obtaining the correct intermediate CAs for your certificate type (each cert type has different intermediate CAs).
To find the CA, if you are using Windows you can just double-click on your
.crt file (if it is a
.pem, you can just rename it to
crt) to view the Issued by: field. Then you can download the intermediate from Digicert.
% openssl -in my.domain.crt -noout -issuer issuer= /C=US/O=DigiCert Inc/CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1