Home

HomeWebServersHowtogetHTTPS:SettingupSSLonyourwebsite

HowtogetHTTPS:SettingupSSL
onyourwebsite
PostedonJune6,2013byShaneHelpton56Comments

IfyouarecollectingANYsensitiveinformationonyourwebsite(includingemailandpassword),
thenyouneedtobesecure.OneofthebestwaystodothatistoenableHTTPS,alsoknownas
SSL(securesocketlayers),sothatanyinformationgoingtoandfromyourserverisautomatically
encrypted.Thepreventshackersfromsniffingoutyourvisitorssensitiveinformationasitpasses
throughtheinternet.

Yourvisitorswillfeelsaferonyoursitewhentheyseethelockwhileaccessyourwebsite
knowingitsprotectedbyasecuritycertificate.

Overview
ThebestthingaboutSSLisitssimpletosetup,andonceitsdoneallyouhavetodoisroute
peopletouseHTTPSinsteadofHTTP.Ifyoutrytoaccessyoursitebyputtinghttps://infrontof
yourURLsrightnow,youllgetanerror.ThatsbecauseyouhaventinstalledanSSLCertificate.
Butdontworrywellwalkyouthroughsettingonuprightnow!

SettingupHTTPSonyourwebsiteisveryeasy,justfollowthese5simplesteps:

1.HostwithadedicatedIPaddress
2.Buyacertificate
3.Activatethecertificate
4.Installthecertificate
5.UpdateyoursitetouseHTTPS

Step1:HostwithadedicatedIPaddress
Inordertoprovidethebestsecurity,SSLcertificatesrequireyourwebsitetohaveitsown
dedicatedIPaddress.LotsofsmallerwebhostingplansputyouonasharedIPwheremultiple
otherwebsitesareusingthesamelocation.WithadedicatedIP,youensurethatthetrafficgoingto
thatIPaddressisonlygoingtoyourwebsiteandnooneelses.

AnaffordablehostIrecommendforadedicatedIPisStableHost.Atthistimeitsunder$6/month,
butyoucangetitcheaperifyouorderforafullyear.TheyremyhostandIvebeenblownaway
withtheirsupportandperformance.Oh,andheresacouponfor40%off:expert40

IfyoudonthaveaplanwithadedicatedIPyoucanaskyourcurrentwebhosttoupgradeyour
accounttohaveadedicatedIPaddress.Therewillprobablybeachargeforititcouldbeone
timeormonthlyfees.

Step2:BuyaCertificate
NextyoullneedsomethingthatprovesyourwebsiteisyourwebsitekindoflikeanIDCardfor
yoursite.ThisisaccomplishedbycreatinganSSLcertificate.Acertificateissimplyaparagraphof
lettersandnumbersthatonlyyoursiteknows,likeareallylongpassword.Whenpeoplevisityour
siteviaHTTPSthatpasswordischecked,andifitmatches,itautomaticallyverifiesthatyour
websiteiswhoyousayitisanditencryptseverythingflowingtoandfromit.

Technicallythisissomethingyoucancreateyourself(calledaselfsignedcert),butallpopular
browserscheckwithCertificateAuthorities(CAs)whichalsohaveacopyofthatlongpassword
andcanvouchforyou.Inordertoberecognizedbytheseauthorities,youmustpurchasea
certificatethroughthem.

NameCheapiswhereIbuymycertificates.Theyhaveafewoptions,buttheonethatIfindbestis
theGeoTrustQuickSSL.Atthistimeits$46peryear,anditcomeswithasitesealthatyoucan
placeonyourpagestoshowyouresecurewhichisgoodforgettingyourcustomerstotrustyou.
Youllsimplybuyitnow,andthensetitupbyactivatingandinstallingitinthenextsteps.

Step3:Activatethecertificate
Note:Yourwebhostmaydothisstepforyoucheckwiththembeforeproceeding.Thiscanget
complicatedandifyoucanwait12daysitmaybebesttoletthemdoit.

Ifyoureactivatingthecertificateyourself,thenextstepistogenerateaCSR.Itseasiesttodothis
withinyourwebhostingcontrolpanelsuchasWHMorcPanel.GototheSSL/TLSadminarea
andchoosetoGenerateanSSLcertificateandSigningRequest.Filloutthefieldsinthescreen
below:
Hosttomakecertforisyourdomainname,andthecontactemailcanbeblank.Whenyouve
filleditout,youllseeascreenlikethis:

Jimat sehingga
RM1680 apabila
anda tukar-ganti
smartfon lama anda.

Tukar-Ganti Sekarang
Copythefirstblockoftext.YoullneedthisCSRtogivetotheSSLcertissuersotheycan
establishyouridentity.LogintoyourNameCheapaccount(orwhereveryouboughtyour
certificate)andactivateit.PasteyourCSRandanyotherfieldsneeded.Itwillaskyouforan
approveremail.Thisisanemailaddressthatprovesyouownthedomain,ie
webmaster@domain.com.Ifitdoesntexist,youllneedtocreateitsoyoucangettheemailthat
containsthefinalcertificate.Followthestepsandwhenyouaredonethatemailaddressshould
havereceivedthecertasa.crtfile.

Step4:Installthecertificate
Note:Yourwebhostmayalsodothisstepforyoutoocheckwiththembeforeproceeding.This
cangetcomplicatedandifyoucanwait12daysitmaybebesttoletthemdoit.

Ifyoureinstallingupthecertificateyourself,thisistheeasieststepyoulleverdo.Youhavethe
certificateinhand,allyouneedtodoispasteitintoyourwebhostcontrolpanel.Ifyoureusing
WHM.CPanel,clicktheInstallanSSLCertificatefromundertheSSL/TLSmenu.
Pasteitintothefirstboxandhitsubmit.Thatsit!Nowtrytoaccessyoursitevia
https://www.domain.comyoushouldbesecure!

Step5:UpdateyoursitetouseHTTPS
Atthispointifyougotohttps://yoursite.comyoushouldseeitload!Congrats,youvesuccessfully
installedSSLandenabledtheHTTPSprotocol!Butyourvisitorsarentprotectedjustyet,youneed
tomakesuretheyreaccessingyoursitethroughHTTPS!

Keepinmindthatyoutypicallyonlyneedtoprotectafewpages,suchasyourloginorcart
checkout.IfyouenableHTTPSonpageswheretheuserisntsubmittingsensitivedataonthere,
itsjustwastingencryptionprocessingandslowingdowntheexperience.Identifythetargetpages
andperformoneofthetwomethodsbelow.

Youcanupdatealllinkstothetargetpagesto
usetheHTTPSlinks.Inotherwords,iftheresa
linktoyourcartonyourhomepage,updatethat
linktousethesecurelink.Dothisforalllinkson
allpagespointingtothesensitiveURLs.

However,ifyouwanttoensurethatpeoplecan
onlyusespecificpagessecurelynomatterwhat
linkstheycomefrom,itsbesttouseaserver
sideapproachtoredirecttheuserifitsnot
HTTPS.Youcandothatwithacodesnippet
insertedontopofyoursecurepage.Heresone
inPHP:
 //Requirehttps
if($_SERVER['HTTPS']!="on"){
$url="https://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
header("Location:$url");
exit;
}

Anotherserversideapproachistousemodrewrite.Thiswontrequireyoutochangeanyofyour
websitefiles,butwillneedyoutomodifyyourapacheconfiguration.Heresanicemodrewrite
cheatsheet,orjustusethisexample:

RewriteEngineOn
RewriteCond%{HTTPS}off
RewriteRule^(cart/|checkout/)https://%{HTTP_HOST}%{REQUEST_URI}

ThiswillensurethatifanyoneaccessesapageviaHTTPtheywillautomaticallyberedirectedto
HTTPS.

Tips
UnderstandthatHTTPSdoesntmeaninformationonyourserverissecure,itonlyprotects
theTRANSFERofdatafromyourvisitorscomputertoyours,andtheotherwaytoo.Once
thesensitivedataisonyourserveritsuptoyoutokeepthatdatasafe(encryptin
database,etc).
Somepeoplejustlookforalockonthepage,notonthebrowser.AfteryouveinstalledSSL
youmightwanttotryaddingalockicononyourpagesjusttoletthemknowitssecureif
theydontlookintheurlbar.

Summary
Whatmakesawebsitesecure?Aproperlyinstalledsecuritycertificate.

Congratulations!YouvesuccessfullyprotectedyourwebsitebyinstallinganSSLcertandmade
yourvisitorslesspronetoattacks.Youcanbreatheeasyknowingthatanyinformationtheysubmit
onyourwebsitewillbeencryptedandsaferfrompacketsniffinghackers.

ResourcesUsed
StableHost
NameCheap
modrewritecheatsheet
 Howtocreateaserverfailoversolution

Ihaveanidea,nowwhat?Howtomakeyourwebsite/appideaareality
PostedinWebServers

56commentsonHowtogetHTTPS:SettingupSSLonyourwebsite

JunaidAhmed says:
November28,2013at8:19am

wow!workedforme(:

Reply

sangameshvsays:
January10,2017at9:12pm

haiJunaidimtryingtomakemywebsitehttpsbutididntgetthatone.pleasehelp.howi
havetoachieve
plsgiveyourmailid.illpingyou.

Reply

marksays:
January2,2014at12:04pm

Thanksforthetips,alsomightwanttoalsocheckouthttp://www.sslguru.com,theyhavea
prettyrobustknowledgebaseandacoupleSSLtoolsthatcomeinhandy.

Reply

Rajansays:
March11,2014at1:02am

IdonthaveanytransactiontobemadeonmysitesoshouldIgetSSLcertificateornot

Reply

ShaneHelptonsays:
March26,2014at8:34pm

SSLcertsareneededifyoucollectanysensitiveinformationusuallycreditcardsand
securitynumbers.Butthesedaysitsrecommendedevenforemailaddresses

Reply
 Hughsays:
October17,2016at1:39pm

WithoutSSLyourwebsiteisvulnerableandtherearealotofwaysforhackerstoaccess
yourinformation.
https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers

Reply

GodofTheinternetsays:
April11,2014at8:23pm

ASSLcertmeansnothingthesedays.Itsafalsesenseofsecurity.Anythingyoudoonlineis
opentopublicattacksandeyes.Thisincludesbankloginsandtransactions.TheSSLcertis
justawayforthesecompaniestograbyourmoney.Asasecurityexpert,Icantellyouthisfrom
firsthand.Icansitanywhereinapublicplacewherepeopleusetheirwirelessdeviceandsteal
anyinfotheysendacrosstheairwavesincludingbluetooth.

Reply

julessays:
January18,2015at3:26am

Thisappearstobetheinternetequivalentofsayingweareallgoingtodie.yesbutin
themeantimeweallhavetolive,socommentslikethisareextremelyunhelpfulwithout
givingasolution,sothanksforincreasingthesenseofvulnerabilityandmaybeyoucan
giveyoursolution?IfSSLisuselessthenwhatdoyousuggest?

Reply

HadiAltaha says:
July20,2016at6:37am

Ilovetheconfidence,youareawesome

Reply

Ivansays:
January18,2017at6:04am

WEllitdefinitelyhelpoutwithSEO,asGooglerankshttpssiteshigherthanhttpsites.

Reply
 JakeGlyndalsays:
April7,2015at5:38pm

Whatmakesawebsitesecure?Aproperlyinstalledsecuritycertificate.Uh,no.Nononono.
Allitdoesisputupafencearoundthedatabeingcommunicatedbetweenthevisitorandthe
website.Itdoesntsecurethewebsitefromattackers.

Reply

ShaneHelptonsays:
April27,2015at7:41pm

Yourecompletelycorrect.SSLisjustoneaspectofmakingyoursitesecure.

Reply

Prashantsays:
July9,2015at10:46am

GreatarticleShaneithelpedme Thankyouforsharing

Reply

ShaneHelptonsays:
September24,2015at3:03pm

Gladithelped!!

Reply

EmmanuelNelsonsays:
October26,2015at1:31am

Thankyouforeverythingdetailsithinkamonestepaheadofgettingmywebsitesecure.

Reply

Archanasays:
November8,2015at2:49am

Thearticlehelps
ThanksheapsShane!!

Reply

Chandansays:
November23,2015at9:26pm

HiShane,
Cantheredirectionbedonethrough.htaccess?

Reply

ShaneHelptonsays:
November24,2015at1:36pm

HiChandanYes!ThesnippetabovethatstartswithRewriteEngineOnisfor.htaccess

Reply

joesays:
December11,2015at12:04am

hello,imnewtowebdesigningmyquestion:whereinmysitedoiputthisphpcode

//Requirehttps
if($_SERVER[HTTPS]!=on){
$url=https://.$_SERVER[SERVER_NAME].$_SERVER[REQUEST_URI]
header(Location:$url)
exit
}

isitintheheadsectionorthebodysection

Reply

ShaneHelptonsays:
January6,2016at8:17pm

Itsnotinheadorbody,butintheserversidecode(php,nothtml)

Reply

Mitchsays:
 January12,2016at5:15am

Ireadthearticleandrealizedthatthisistwoyearsagobutstilltheinformationisrelevant.I
agree!InstallingSSLonthesitewillsecureprivatedatasentovertheInternet.Googleloves
securedsiteaswell.Thanksforthetip!

Bytheway,whatdoyouthinkwithhttps://www.ssl.com/?Theyprovideawiderangeofdigital
certificatestofitanyneedsatalowerprice.

Reply

LSsays:
January21,2016at12:29am

Thanksmate!
Beenlookingforsomewheretotellmethe123ofSSLandthisisexactlywhatIwanted

Reply

Joesays:
February9,2016at12:12pm

Niceonehere.WhoactuallyoughttointergratetheSSLCert?Isitmyhostcompanyintotheir
serverorIwhoownthewebpages?IamabouttouploadanestorebuiltontheWPe
commercethemeandusingWordPress.Ialreadyhaveahost.Pease,advisememore.Thank
you.

Reply

PriyankSonisays:
May16,2016at11:59pm

Yeahitworks..good..
ButIwillgowith5commentwhowrote,Asasecurityexpert,Icantellyouthisfromfirsthand.I
cansitanywhereinapublicplacewherepeopleusetheirwirelessdeviceandstealanyinfo
theysendacrosstheairwavesincludingbluetooth.

Reply

HussainBadushasays:
May27,2016at7:45pm

Thanks.
ThisgivesmeaninsightonwhatexactlySSLSecureSocketLayeris.
Iveworkedmanydomains,subdomainsandotherthingsbutnotwithSSL.
Hopefully,iwillsoonworkonitwithsomeclients

Againthumbsupforthetremendouspost.
HussainBadusha.

Reply

DavidLewissays:
June5,2016at10:29pm

Yourarticleisgreat.CanyoushowmeorcompleteanSSLCertificateonmyWixsite?Iam
losingtonsofbusinessasmyWixsiteisnotsecure!

Canyouassistwithasolution?

Thanks

David

P.S.Mysiteisunderconstructionbutaddressisasshownbelow

Reply

GuxGuxsays:
July11,2016at10:10pm

Nowtherearefreecertificates.Anorgfromlinuxfoundation+googlerunsit:
https://letsencrypt.org/

Reply

suryasays:
July15,2016at1:41am

iinstalledsslonmyhost.
thanksalot

Reply

sandrasays:
July17,2016at8:13pm
thankyouforyourarticlewegottheSSLcertificatebutsinceinstallationouremailsfromour
quoteformsandonlineshopordersaregettingcaughtontheserverbythespamnet?Whyisit
happening?

Reply

Vincentsays:
July25,2016at1:28am

Ihaveinstalledaselfsignedcertificateonmycpanelbutitdoesntstillwork.Whatmightbethe
issue?

Reply

RanjitRanjansays:
August9,2016at5:20am

DowehaveanywaytoinstallthefreeSSLcertificatesonwebsiteanddoesithelptoincrease
thetraffic,asIdonothaveanysensitiveinformationonmywebsite.So,wantedtoknowisit
requiredeven?

Reply

DavidCornishsays:
August9,2016at11:08pm

IvebeenthinkingofSSLforawhile,someoftheothersitesthatIrunarelookingtohave
storesonthemsotheinfointhisarticleisgoingtobeinvaluabletohelpdecidehowtogetthem
upwithanSSLcertificate

Reply

RanjitRanjansays:
August13,2016at3:22am

ThanksforthewonderfularticleIwillsuretrytoimplementit.whatareyourthoughtsonLets
encryptforGoDaddy.

Reply

Riyazsays:
October5,2016at12:13am

Niceinformation.CanyoupleasehelpwithletsencryptSSLCertifucate?
Reply

tusharshivansays:
November13,2016at12:50am

Hello
Ineedyourhelp.IinstalledthecertificateontheserverandIsomehowmanagedtoredirect
fromhttptohttps.Everythingworksfinebuttheproblemisthewebsiteloadsthedefaulthome
pageinsteadofmywebpage.MyhostingserverisonGodaddyandmywebsiteis
tusharshivan.in

PleaseHelp
Tushar

Reply

Jeffsays:
December6,2016at2:30pm

Idontwanttopayanythingforthiscertification,IjustwanttheHTTPSwherecanIjusthave
mywebsiteverifiedforfree?

Reply

Gizmosays:
December7,2016at2:46am

Dowehavetobuythehttpscertificate.Ifyesthenhowmuchitcost?IfnothendoIjustneedto
putthecodeontomywebsite.

Iamnewpleasebearwithme.Thanks!

Reply

Gizmosays:
December7,2016at2:50am

OopsIgottheanswerinthepostitself.ThanksShane.Thisisanawesomepost.

Reply

seoallinsays:
December8,2016at5:54am
httpsisworthconsidering,Googlealgorithmnowaddsseopointsforthat.

Reply

HarishChandsays:
December13,2016at2:57am

Thanksforthiswonderfularticle.Itreallymademeeasiertoknowmoreabouthowtosecure
infotransferusinghttps://.
AlsoIreadthehostingandcertificationplansbyNameCheapandStableHost.Iampretty
amazedwiththisandlookingforwardtousetheplan.

ThankYou.
NSWITSupport

Reply

SrijanChandsays:
December13,2016at3:02am

Howmuchtimedoesittaketoawebsiteafterinstallingthecertificatetogetupdated?

Bytheway,
Reallyaworthyarticle.Everystepwisesuggestionisjustmindblowing.

ThankYou,
SrijanChand.

Reply

robinsays:
December26,2016at2:07am

hello,mywebsitehasinstalledSSLanditshowsokaywhenyouopenitinchromewithgreen
lock.Howeverwhileingoogle,ifisearchmywebsiteitdoesnotincludehttps,whereisworng

Reply

NakisnMoiffesays:
January5,2017at11:23pm

ReallyHelpful,pleasewhatotherwayscanwesecureoursiteissecuredespeciallyiffinancial
transactionsarebeingcarriedout?
Thanks
Reply

assafsays:
January28,2017at11:50am

HiFriend!1questionplease!ifidonotcollectinfosuchasemailandpasswordionlysell
usingpaypalinmywebsitedoihavetousessl?

Reply

ShaneHelptonsays:
April20,2017at11:08am

Emailsandpasswordsaresensitiveinformation,soyesyoushould.

Reply

Sablefostesays:
January29,2017at6:50pm

NoexcuseanymorefornothavingEVERYTHINGSSLontheinternet.Itistooeasy(thankyou
forthisstillrelevantarticle)ANDnowalwaysFREEthankstoLetsEncrypt
(https://letsencrypt.org/).IuseDreamhost,andthecombinationistrulyafixitandforgetit
solution.Justapplyforthecertificate,followtherulesonthisarticleandyouaredone.It
automaticallyrenews.

NOMOREEXCUSES!

Reply

Ratansays:
February3,2017at2:35pm

Thanksforyourinformation.Today,IreadaboutHTTPS.GoogleSays,ItsaRankingsignal.
So,Iamgoingtobuyasslcertificate.Canyoupleasetellmewhichsslproviderisbest?

Reply

LidiaClasessays:
February17,2017at2:43am

WhataboutfreeSSLsfromletsencrypt?

Reply
 ShaneHelptonsays:
April20,2017at11:07am

ThesearegreatandIhighlysupportthemIneedtoupdatethisarticlewiththat
information.

Reply

NishatMahmudsays:
February19,2017at9:05pm

Thanksmate.Imfacingtoomuchproblemsbecauseofthis.Andnowitstotallyclearbecause
ofyourpost.Butcantheredirectionbedonethrough.htaccess?

Reply

johnsays:
March7,2017at2:14pm

HiShane,

WehaveabunchofformsthatneedtobeSSL.ISitsafetoapplySSLonaproductionserver
orisitbettertoclonethemontoadifferentserverwithSSLenabledandthendoaDNScutover
tothatserver?IsthereaserverdowntimetobeexpectedwhenimplementingSSL?Imtrying
toavoidanyinterruptionofservice.ImkindofnewtothissoImjustdoingsomehomeworkon
this.

Thanks!
John

Reply

Marksays:
March21,2017at9:50am

Mysiterunbothurlwithhttporhttps,Icannotunderstandtheissue!!!whatswrongwithmy
end

Reply

PJsays:
March22,2017at12:13am
whatifmywebsitesarebehindaloadbalancer?howcanwedothat?

Reply

AndroidRevsays:
March31,2017at1:51am

Wow!IjustreadthisnowandwhileIknewtheimportanceofsecuringyoursite,Inever
imaginedthatGooglerankedsitebasedontheirperceivedsecurity.Thanksforthis,Imoffto
securemysite!

Reply

ShabuAnower says:
April10,2017at5:14am

Thankyouforyourdetailinstruction,justIveactivatedSSLforasite.Again,thanksalot.

Reply

Emransays:
April16,2017at12:33am

Googleisenforcingwhattheylike,notfair

Reply

LeaveaReply
Youremailaddresswillnotbepublished.Requiredfieldsaremarked*

Comment

Name*
 Email*

Website

PostComment

2017ExpertHowToGuides ResponsiveThemepoweredbyWordPress