Академический Документы
Профессиональный Документы
Культура Документы
HomeWebServersHowtogetHTTPS:SettingupSSLonyourwebsite
HowtogetHTTPS:SettingupSSL
onyourwebsite
PostedonJune6,2013byShaneHelpton56Comments
IfyouarecollectingANYsensitiveinformationonyourwebsite(includingemailandpassword),
thenyouneedtobesecure.OneofthebestwaystodothatistoenableHTTPS,alsoknownas
SSL(securesocketlayers),sothatanyinformationgoingtoandfromyourserverisautomatically
encrypted.Thepreventshackersfromsniffingoutyourvisitorssensitiveinformationasitpasses
throughtheinternet.
Yourvisitorswillfeelsaferonyoursitewhentheyseethelockwhileaccessyourwebsite
knowingitsprotectedbyasecuritycertificate.
Overview
ThebestthingaboutSSLisitssimpletosetup,andonceitsdoneallyouhavetodoisroute
peopletouseHTTPSinsteadofHTTP.Ifyoutrytoaccessyoursitebyputtinghttps://infrontof
yourURLsrightnow,youllgetanerror.ThatsbecauseyouhaventinstalledanSSLCertificate.
Butdontworrywellwalkyouthroughsettingonuprightnow!
SettingupHTTPSonyourwebsiteisveryeasy,justfollowthese5simplesteps:
1.HostwithadedicatedIPaddress
2.Buyacertificate
3.Activatethecertificate
4.Installthecertificate
5.UpdateyoursitetouseHTTPS
Step1:HostwithadedicatedIPaddress
Inordertoprovidethebestsecurity,SSLcertificatesrequireyourwebsitetohaveitsown
dedicatedIPaddress.LotsofsmallerwebhostingplansputyouonasharedIPwheremultiple
otherwebsitesareusingthesamelocation.WithadedicatedIP,youensurethatthetrafficgoingto
thatIPaddressisonlygoingtoyourwebsiteandnooneelses.
AnaffordablehostIrecommendforadedicatedIPisStableHost.Atthistimeitsunder$6/month,
butyoucangetitcheaperifyouorderforafullyear.TheyremyhostandIvebeenblownaway
withtheirsupportandperformance.Oh,andheresacouponfor40%off:expert40
IfyoudonthaveaplanwithadedicatedIPyoucanaskyourcurrentwebhosttoupgradeyour
accounttohaveadedicatedIPaddress.Therewillprobablybeachargeforititcouldbeone
timeormonthlyfees.
Step2:BuyaCertificate
NextyoullneedsomethingthatprovesyourwebsiteisyourwebsitekindoflikeanIDCardfor
yoursite.ThisisaccomplishedbycreatinganSSLcertificate.Acertificateissimplyaparagraphof
lettersandnumbersthatonlyyoursiteknows,likeareallylongpassword.Whenpeoplevisityour
siteviaHTTPSthatpasswordischecked,andifitmatches,itautomaticallyverifiesthatyour
websiteiswhoyousayitisanditencryptseverythingflowingtoandfromit.
Technicallythisissomethingyoucancreateyourself(calledaselfsignedcert),butallpopular
browserscheckwithCertificateAuthorities(CAs)whichalsohaveacopyofthatlongpassword
andcanvouchforyou.Inordertoberecognizedbytheseauthorities,youmustpurchasea
certificatethroughthem.
NameCheapiswhereIbuymycertificates.Theyhaveafewoptions,buttheonethatIfindbestis
theGeoTrustQuickSSL.Atthistimeits$46peryear,anditcomeswithasitesealthatyoucan
placeonyourpagestoshowyouresecurewhichisgoodforgettingyourcustomerstotrustyou.
Youllsimplybuyitnow,andthensetitupbyactivatingandinstallingitinthenextsteps.
Step3:Activatethecertificate
Note:Yourwebhostmaydothisstepforyoucheckwiththembeforeproceeding.Thiscanget
complicatedandifyoucanwait12daysitmaybebesttoletthemdoit.
Ifyoureactivatingthecertificateyourself,thenextstepistogenerateaCSR.Itseasiesttodothis
withinyourwebhostingcontrolpanelsuchasWHMorcPanel.GototheSSL/TLSadminarea
andchoosetoGenerateanSSLcertificateandSigningRequest.Filloutthefieldsinthescreen
below:
Hosttomakecertforisyourdomainname,andthecontactemailcanbeblank.Whenyouve
filleditout,youllseeascreenlikethis:
Jimat sehingga
RM1680 apabila
anda tukar-ganti
smartfon lama anda.
Tukar-Ganti Sekarang
Copythefirstblockoftext.YoullneedthisCSRtogivetotheSSLcertissuersotheycan
establishyouridentity.LogintoyourNameCheapaccount(orwhereveryouboughtyour
certificate)andactivateit.PasteyourCSRandanyotherfieldsneeded.Itwillaskyouforan
approveremail.Thisisanemailaddressthatprovesyouownthedomain,ie
webmaster@domain.com.Ifitdoesntexist,youllneedtocreateitsoyoucangettheemailthat
containsthefinalcertificate.Followthestepsandwhenyouaredonethatemailaddressshould
havereceivedthecertasa.crtfile.
Step4:Installthecertificate
Note:Yourwebhostmayalsodothisstepforyoutoocheckwiththembeforeproceeding.This
cangetcomplicatedandifyoucanwait12daysitmaybebesttoletthemdoit.
Ifyoureinstallingupthecertificateyourself,thisistheeasieststepyoulleverdo.Youhavethe
certificateinhand,allyouneedtodoispasteitintoyourwebhostcontrolpanel.Ifyoureusing
WHM.CPanel,clicktheInstallanSSLCertificatefromundertheSSL/TLSmenu.
Pasteitintothefirstboxandhitsubmit.Thatsit!Nowtrytoaccessyoursitevia
https://www.domain.comyoushouldbesecure!
Step5:UpdateyoursitetouseHTTPS
Atthispointifyougotohttps://yoursite.comyoushouldseeitload!Congrats,youvesuccessfully
installedSSLandenabledtheHTTPSprotocol!Butyourvisitorsarentprotectedjustyet,youneed
tomakesuretheyreaccessingyoursitethroughHTTPS!
Keepinmindthatyoutypicallyonlyneedtoprotectafewpages,suchasyourloginorcart
checkout.IfyouenableHTTPSonpageswheretheuserisntsubmittingsensitivedataonthere,
itsjustwastingencryptionprocessingandslowingdowntheexperience.Identifythetargetpages
andperformoneofthetwomethodsbelow.
Youcanupdatealllinkstothetargetpagesto
usetheHTTPSlinks.Inotherwords,iftheresa
linktoyourcartonyourhomepage,updatethat
linktousethesecurelink.Dothisforalllinkson
allpagespointingtothesensitiveURLs.
However,ifyouwanttoensurethatpeoplecan
onlyusespecificpagessecurelynomatterwhat
linkstheycomefrom,itsbesttouseaserver
sideapproachtoredirecttheuserifitsnot
HTTPS.Youcandothatwithacodesnippet
insertedontopofyoursecurepage.Heresone
inPHP:
//Requirehttps
if($_SERVER['HTTPS']!="on"){
$url="https://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
header("Location:$url");
exit;
}
Anotherserversideapproachistousemodrewrite.Thiswontrequireyoutochangeanyofyour
websitefiles,butwillneedyoutomodifyyourapacheconfiguration.Heresanicemodrewrite
cheatsheet,orjustusethisexample:
RewriteEngineOn
RewriteCond%{HTTPS}off
RewriteRule^(cart/|checkout/)https://%{HTTP_HOST}%{REQUEST_URI}
ThiswillensurethatifanyoneaccessesapageviaHTTPtheywillautomaticallyberedirectedto
HTTPS.
Tips
UnderstandthatHTTPSdoesntmeaninformationonyourserverissecure,itonlyprotects
theTRANSFERofdatafromyourvisitorscomputertoyours,andtheotherwaytoo.Once
thesensitivedataisonyourserveritsuptoyoutokeepthatdatasafe(encryptin
database,etc).
Somepeoplejustlookforalockonthepage,notonthebrowser.AfteryouveinstalledSSL
youmightwanttotryaddingalockicononyourpagesjusttoletthemknowitssecureif
theydontlookintheurlbar.
Summary
Whatmakesawebsitesecure?Aproperlyinstalledsecuritycertificate.
Congratulations!YouvesuccessfullyprotectedyourwebsitebyinstallinganSSLcertandmade
yourvisitorslesspronetoattacks.Youcanbreatheeasyknowingthatanyinformationtheysubmit
onyourwebsitewillbeencryptedandsaferfrompacketsniffinghackers.
ResourcesUsed
StableHost
NameCheap
modrewritecheatsheet
Howtocreateaserverfailoversolution
Ihaveanidea,nowwhat?Howtomakeyourwebsite/appideaareality
PostedinWebServers
56commentsonHowtogetHTTPS:SettingupSSLonyourwebsite
JunaidAhmed says:
November28,2013at8:19am
wow!workedforme(:
Reply
sangameshvsays:
January10,2017at9:12pm
haiJunaidimtryingtomakemywebsitehttpsbutididntgetthatone.pleasehelp.howi
havetoachieve
plsgiveyourmailid.illpingyou.
Reply
marksays:
January2,2014at12:04pm
Thanksforthetips,alsomightwanttoalsocheckouthttp://www.sslguru.com,theyhavea
prettyrobustknowledgebaseandacoupleSSLtoolsthatcomeinhandy.
Reply
Rajansays:
March11,2014at1:02am
IdonthaveanytransactiontobemadeonmysitesoshouldIgetSSLcertificateornot
Reply
ShaneHelptonsays:
March26,2014at8:34pm
SSLcertsareneededifyoucollectanysensitiveinformationusuallycreditcardsand
securitynumbers.Butthesedaysitsrecommendedevenforemailaddresses
Reply
Hughsays:
October17,2016at1:39pm
WithoutSSLyourwebsiteisvulnerableandtherearealotofwaysforhackerstoaccess
yourinformation.
https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers
Reply
GodofTheinternetsays:
April11,2014at8:23pm
ASSLcertmeansnothingthesedays.Itsafalsesenseofsecurity.Anythingyoudoonlineis
opentopublicattacksandeyes.Thisincludesbankloginsandtransactions.TheSSLcertis
justawayforthesecompaniestograbyourmoney.Asasecurityexpert,Icantellyouthisfrom
firsthand.Icansitanywhereinapublicplacewherepeopleusetheirwirelessdeviceandsteal
anyinfotheysendacrosstheairwavesincludingbluetooth.
Reply
julessays:
January18,2015at3:26am
Thisappearstobetheinternetequivalentofsayingweareallgoingtodie.yesbutin
themeantimeweallhavetolive,socommentslikethisareextremelyunhelpfulwithout
givingasolution,sothanksforincreasingthesenseofvulnerabilityandmaybeyoucan
giveyoursolution?IfSSLisuselessthenwhatdoyousuggest?
Reply
HadiAltaha says:
July20,2016at6:37am
Ilovetheconfidence,youareawesome
Reply
Ivansays:
January18,2017at6:04am
WEllitdefinitelyhelpoutwithSEO,asGooglerankshttpssiteshigherthanhttpsites.
Reply
JakeGlyndalsays:
April7,2015at5:38pm
Whatmakesawebsitesecure?Aproperlyinstalledsecuritycertificate.Uh,no.Nononono.
Allitdoesisputupafencearoundthedatabeingcommunicatedbetweenthevisitorandthe
website.Itdoesntsecurethewebsitefromattackers.
Reply
ShaneHelptonsays:
April27,2015at7:41pm
Yourecompletelycorrect.SSLisjustoneaspectofmakingyoursitesecure.
Reply
Prashantsays:
July9,2015at10:46am
GreatarticleShaneithelpedme Thankyouforsharing
Reply
ShaneHelptonsays:
September24,2015at3:03pm
Gladithelped!!
Reply
EmmanuelNelsonsays:
October26,2015at1:31am
Thankyouforeverythingdetailsithinkamonestepaheadofgettingmywebsitesecure.
Reply
Archanasays:
November8,2015at2:49am
Thearticlehelps
ThanksheapsShane!!
Reply
Chandansays:
November23,2015at9:26pm
HiShane,
Cantheredirectionbedonethrough.htaccess?
Reply
ShaneHelptonsays:
November24,2015at1:36pm
HiChandanYes!ThesnippetabovethatstartswithRewriteEngineOnisfor.htaccess
Reply
joesays:
December11,2015at12:04am
hello,imnewtowebdesigningmyquestion:whereinmysitedoiputthisphpcode
//Requirehttps
if($_SERVER[HTTPS]!=on){
$url=https://.$_SERVER[SERVER_NAME].$_SERVER[REQUEST_URI]
header(Location:$url)
exit
}
isitintheheadsectionorthebodysection
Reply
ShaneHelptonsays:
January6,2016at8:17pm
Itsnotinheadorbody,butintheserversidecode(php,nothtml)
Reply
Mitchsays:
January12,2016at5:15am
Ireadthearticleandrealizedthatthisistwoyearsagobutstilltheinformationisrelevant.I
agree!InstallingSSLonthesitewillsecureprivatedatasentovertheInternet.Googleloves
securedsiteaswell.Thanksforthetip!
Bytheway,whatdoyouthinkwithhttps://www.ssl.com/?Theyprovideawiderangeofdigital
certificatestofitanyneedsatalowerprice.
Reply
LSsays:
January21,2016at12:29am
Thanksmate!
Beenlookingforsomewheretotellmethe123ofSSLandthisisexactlywhatIwanted
Reply
Joesays:
February9,2016at12:12pm
Niceonehere.WhoactuallyoughttointergratetheSSLCert?Isitmyhostcompanyintotheir
serverorIwhoownthewebpages?IamabouttouploadanestorebuiltontheWPe
commercethemeandusingWordPress.Ialreadyhaveahost.Pease,advisememore.Thank
you.
Reply
PriyankSonisays:
May16,2016at11:59pm
Yeahitworks..good..
ButIwillgowith5commentwhowrote,Asasecurityexpert,Icantellyouthisfromfirsthand.I
cansitanywhereinapublicplacewherepeopleusetheirwirelessdeviceandstealanyinfo
theysendacrosstheairwavesincludingbluetooth.
Reply
HussainBadushasays:
May27,2016at7:45pm
Thanks.
ThisgivesmeaninsightonwhatexactlySSLSecureSocketLayeris.
Iveworkedmanydomains,subdomainsandotherthingsbutnotwithSSL.
Hopefully,iwillsoonworkonitwithsomeclients
Againthumbsupforthetremendouspost.
HussainBadusha.
Reply
DavidLewissays:
June5,2016at10:29pm
Yourarticleisgreat.CanyoushowmeorcompleteanSSLCertificateonmyWixsite?Iam
losingtonsofbusinessasmyWixsiteisnotsecure!
Canyouassistwithasolution?
Thanks
David
P.S.Mysiteisunderconstructionbutaddressisasshownbelow
Reply
GuxGuxsays:
July11,2016at10:10pm
Nowtherearefreecertificates.Anorgfromlinuxfoundation+googlerunsit:
https://letsencrypt.org/
Reply
suryasays:
July15,2016at1:41am
iinstalledsslonmyhost.
thanksalot
Reply
sandrasays:
July17,2016at8:13pm
thankyouforyourarticlewegottheSSLcertificatebutsinceinstallationouremailsfromour
quoteformsandonlineshopordersaregettingcaughtontheserverbythespamnet?Whyisit
happening?
Reply
Vincentsays:
July25,2016at1:28am
Ihaveinstalledaselfsignedcertificateonmycpanelbutitdoesntstillwork.Whatmightbethe
issue?
Reply
RanjitRanjansays:
August9,2016at5:20am
DowehaveanywaytoinstallthefreeSSLcertificatesonwebsiteanddoesithelptoincrease
thetraffic,asIdonothaveanysensitiveinformationonmywebsite.So,wantedtoknowisit
requiredeven?
Reply
DavidCornishsays:
August9,2016at11:08pm
IvebeenthinkingofSSLforawhile,someoftheothersitesthatIrunarelookingtohave
storesonthemsotheinfointhisarticleisgoingtobeinvaluabletohelpdecidehowtogetthem
upwithanSSLcertificate
Reply
RanjitRanjansays:
August13,2016at3:22am
ThanksforthewonderfularticleIwillsuretrytoimplementit.whatareyourthoughtsonLets
encryptforGoDaddy.
Reply
Riyazsays:
October5,2016at12:13am
Niceinformation.CanyoupleasehelpwithletsencryptSSLCertifucate?
Reply
tusharshivansays:
November13,2016at12:50am
Hello
Ineedyourhelp.IinstalledthecertificateontheserverandIsomehowmanagedtoredirect
fromhttptohttps.Everythingworksfinebuttheproblemisthewebsiteloadsthedefaulthome
pageinsteadofmywebpage.MyhostingserverisonGodaddyandmywebsiteis
tusharshivan.in
PleaseHelp
Tushar
Reply
Jeffsays:
December6,2016at2:30pm
Idontwanttopayanythingforthiscertification,IjustwanttheHTTPSwherecanIjusthave
mywebsiteverifiedforfree?
Reply
Gizmosays:
December7,2016at2:46am
Dowehavetobuythehttpscertificate.Ifyesthenhowmuchitcost?IfnothendoIjustneedto
putthecodeontomywebsite.
Iamnewpleasebearwithme.Thanks!
Reply
Gizmosays:
December7,2016at2:50am
OopsIgottheanswerinthepostitself.ThanksShane.Thisisanawesomepost.
Reply
seoallinsays:
December8,2016at5:54am
httpsisworthconsidering,Googlealgorithmnowaddsseopointsforthat.
Reply
HarishChandsays:
December13,2016at2:57am
Thanksforthiswonderfularticle.Itreallymademeeasiertoknowmoreabouthowtosecure
infotransferusinghttps://.
AlsoIreadthehostingandcertificationplansbyNameCheapandStableHost.Iampretty
amazedwiththisandlookingforwardtousetheplan.
ThankYou.
NSWITSupport
Reply
SrijanChandsays:
December13,2016at3:02am
Howmuchtimedoesittaketoawebsiteafterinstallingthecertificatetogetupdated?
Bytheway,
Reallyaworthyarticle.Everystepwisesuggestionisjustmindblowing.
ThankYou,
SrijanChand.
Reply
robinsays:
December26,2016at2:07am
hello,mywebsitehasinstalledSSLanditshowsokaywhenyouopenitinchromewithgreen
lock.Howeverwhileingoogle,ifisearchmywebsiteitdoesnotincludehttps,whereisworng
Reply
NakisnMoiffesays:
January5,2017at11:23pm
ReallyHelpful,pleasewhatotherwayscanwesecureoursiteissecuredespeciallyiffinancial
transactionsarebeingcarriedout?
Thanks
Reply
assafsays:
January28,2017at11:50am
HiFriend!1questionplease!ifidonotcollectinfosuchasemailandpasswordionlysell
usingpaypalinmywebsitedoihavetousessl?
Reply
ShaneHelptonsays:
April20,2017at11:08am
Emailsandpasswordsaresensitiveinformation,soyesyoushould.
Reply
Sablefostesays:
January29,2017at6:50pm
NoexcuseanymorefornothavingEVERYTHINGSSLontheinternet.Itistooeasy(thankyou
forthisstillrelevantarticle)ANDnowalwaysFREEthankstoLetsEncrypt
(https://letsencrypt.org/).IuseDreamhost,andthecombinationistrulyafixitandforgetit
solution.Justapplyforthecertificate,followtherulesonthisarticleandyouaredone.It
automaticallyrenews.
NOMOREEXCUSES!
Reply
Ratansays:
February3,2017at2:35pm
Thanksforyourinformation.Today,IreadaboutHTTPS.GoogleSays,ItsaRankingsignal.
So,Iamgoingtobuyasslcertificate.Canyoupleasetellmewhichsslproviderisbest?
Reply
LidiaClasessays:
February17,2017at2:43am
WhataboutfreeSSLsfromletsencrypt?
Reply
ShaneHelptonsays:
April20,2017at11:07am
ThesearegreatandIhighlysupportthemIneedtoupdatethisarticlewiththat
information.
Reply
NishatMahmudsays:
February19,2017at9:05pm
Thanksmate.Imfacingtoomuchproblemsbecauseofthis.Andnowitstotallyclearbecause
ofyourpost.Butcantheredirectionbedonethrough.htaccess?
Reply
johnsays:
March7,2017at2:14pm
HiShane,
WehaveabunchofformsthatneedtobeSSL.ISitsafetoapplySSLonaproductionserver
orisitbettertoclonethemontoadifferentserverwithSSLenabledandthendoaDNScutover
tothatserver?IsthereaserverdowntimetobeexpectedwhenimplementingSSL?Imtrying
toavoidanyinterruptionofservice.ImkindofnewtothissoImjustdoingsomehomeworkon
this.
Thanks!
John
Reply
Marksays:
March21,2017at9:50am
Mysiterunbothurlwithhttporhttps,Icannotunderstandtheissue!!!whatswrongwithmy
end
Reply
PJsays:
March22,2017at12:13am
whatifmywebsitesarebehindaloadbalancer?howcanwedothat?
Reply
AndroidRevsays:
March31,2017at1:51am
Wow!IjustreadthisnowandwhileIknewtheimportanceofsecuringyoursite,Inever
imaginedthatGooglerankedsitebasedontheirperceivedsecurity.Thanksforthis,Imoffto
securemysite!
Reply
ShabuAnower says:
April10,2017at5:14am
Thankyouforyourdetailinstruction,justIveactivatedSSLforasite.Again,thanksalot.
Reply
Emransays:
April16,2017at12:33am
Googleisenforcingwhattheylike,notfair
Reply
LeaveaReply
Youremailaddresswillnotbepublished.Requiredfieldsaremarked*
Comment
Name*
Email*
Website
PostComment
2017ExpertHowToGuides ResponsiveThemepoweredbyWordPress