Setting Up a Wildcard SSL on cPanel/WHM

A Wildcard Certificate means all of your sub-domains will resolve to the same location, regardless of the non-SSL Document-Root specification. A user will need to purchase a wildcard SSL from a vendor or a reseller that supplies them.

Similar to having multiple certificates installed on a server, each sub-domain containing the certificate needs its own IP as well.  Wildcard SSL’s do not work like Wildcard DNS – you will have to specifically install the certificate on each sub-domain. Following are two methods to set up a Wildcard SSL for a domain.

Multiple Accounts

In a case where you have each sub-domain hosted as a separate cPanel account, and each cPanel account has its own IP address, then follow these steps:

• Generate the Certificate Signing Request (CSR) in WHM, using *.domain.com
•  There are two ways to change a site’s IP address:

                                                              i.      Via WHM:

Go to WHM > Change site’s IP Address, select the account, then select the 

   i.      Via Command Line:

/usr/local/cpanel/bin/setsiteip -u $user $ip

When you’ve obtained the certificate, go to WHM > Install a SSL Certificate and Setup the Domain and paste in the CRT and CA Bundle for *.domain.com

·         The fields should auto-populate, in which case you need to make sure the IP is correct, then change the SSL hostname from *.domain.com to the target sub-domain

·         Click install to install the certificate

One Account

This method may be best for users that are not resellers or that are on shared hosting servers, where having multiple cPanel accounts may not be ideal. In this case, you’d have one cPanel account and assign multiple IPs to its sub-domains:

·         Generate the Certificate Signing Request (CSR) in WHM, using *.domain.com

·         These are the steps to assign dedicated IPs to multiple sub-domains on the same account

                           I.            Edit /var/cpanel/userdata/$USER/$SUBDOMAIN.$DOMAIN for each subdomain (for addon/parked domains you’ll usually edit the file for the subdomain associated with the addon/parked domain) and change the IP value to a “dedicated” IP.

                                        II.                Run /scripts/rebuildhttpconf

                                        III.            Edit the DNS zone for the subdomain (which will likely be attached to the parent domain) and update the a-record to point to that IP as well. Then synchronize the zone out to the DNS cluster, if one exists:

                                        IV.             /scripts/dnscluster synczone <parentdomain>

                    V        Edit /etc/domainips and add an entry for that sudomain to point to the IP and run /scripts/rebuildippool to make sure the IP is marked as taken.

•           When you’ve obtained the certificate, go to WHM > Install a SSL Certificate and Setup the Domain and paste in the CRT and CA Bundle for *.domain.com
•          fields should auto-populate, in which case you need to make sure the IP is correct, then change the SSL hostname from *.domain.com to the target sub-domain
•          Click install to install the certificate

     So, you can save your time to manage numerous certificates for sub-domains and even save the money as Wildcard SSL Certificates such as RapidSSL Wildcard SSL or GeoTrust True BusinessID Wildcard will provide security for all your sub-domains with one main domain name.

About the Author:

RapidSSLonline is one of the largest cheap SSL certificate providers and is a Platinum partner for VeriSign, GeoTrust SSL, Thawte and RapidSSL. It provides 24/7 support for any question, anytime. For more information about RapidSSLonline, please visit https://www.rapidsslonline.com 

SSL Installation Guidelines: Install VeriSign SSL on Microsoft IIS 6.0

VeriSign SSL provides SSL solutions that allow companies & consumers to engage in transactions & commerce online with trust and confidence. This document provides instructions for installing Cheap SSL Certificates into Microsoft IIS 6.0.

VeriSign is the leading Secure Sockets Layer (SSL) Certificate Authority enabling secure e-commerce, communications, and interactions for Web sites, intranets, and extranets. VeriSign® digital certificates protect over 900,000 Web servers worldwide, so consumers can shop safely. Choose VeriSign® SSL Certificates and display the VeriSign Secured® Seal, the most trusted mark on the Internet.

Follow the guidelines to install VeriSign SSL Certificate on Microsoft IIS 6.0. In case of any failure in installation, it is recommended to contact Microsoft.

Download the certificate

Method 1:

You will receive the SSL Certificate via email from VeriSign. Copy and paste the contents of the certificate into a plain text editor such as Notepad.

The text file should be in the following format :

-----BEGIN CERTIFICATE-----

[Encoded data]

-----END CERTIFICATE-----

There should be 5 dashes on the either side of the BEGIN CERTIFICATE and END CERTIFICATE with no other white space, line breaks or any other character being added unintentionally.

Method 2:

Download the certificate from VeriSign Trust Center: SO8061

Reminder:

If you download the certificate from VeriSign Trust Center account or install it from the email received, then save it with .txt or p7b extension.

If you install the certificate, downloaded from VeriSign Trust Center account in x.509 format, then save it with the extension .txt or .cer.

Step 1: Installing SSL Certificate into IIS 6.0

• Open the Internet Services Manager (IIS)
• Click Start
• Select All Programs > Administrative Tools
• Choose Internet Information Services (IIS) Manager
• Under Web Sites, right-click your web site and select Properties > Directory Security tab.
• Under Secure Communications, click Server Certificate
• The Web Site Certificate Wizard will open, click Next.
• Choose Process the Pending Request and Install the Certificate, then click Next.
• The pending request must match the response file. If you deleted the pending request in error you must generate a new CSR and replace this certificate.
• Select the location of the certificate response file, and then click Next.
• Verify the summary screen and then click Next.
• After the confirmation screen, click Next.
• Be sure to assign your site an SSL port (443 by default).

Step 2: Locate and Disable the VeriSign Class 3 Public Primary Certification Authority - G5 Root CA certificate

• Create a Certificate Snap-In in Microsoft Management Console (MMC).
• With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.
• Locate the following certificate: Issued to: VeriSign Class 3 Public Primary Certification Authority - G5 Issued by: VeriSign Class 3 Public Primary Certification Authority - G5 Expiration Date: 7/16/2036 Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a
• If this certificate is present, it must be disabled.
• Right click the certificate
Select Properties
• In the Certificate purposes section, select Disable all purposes for this certificate
• Click the OK button
• Close the MMC - there is no need to save console settings

Step 3: Verify certificate installation

Stop and start your Web server prior to any testing. In some cases the changes may not take place after restarting IIS Services and a re-boot is needed.

Choose VeriSign SSL Certificates for maximum reliability for your websites. Increase your online sales with the most supported and widely trusted Cheap SSL Certificate Provider – VeriSign.

Website Security : Trusting SSL Certificates

SSL made its commencement in 1994 as a way to cryptographically obtain e-commerce and different touchy internet study. A backstage key at the suspicion of the scheme allows website operators to try that they are the rightful owners of the domains visitors are accessing, rather than impostors who score hacked the users' connections.

Almost every year, a disaster has exposed the weak links in what is to be called Internet’s Security Provider. In 2008, it was the destructive powerlessness in SSL, or secure sockets layer, certificates issued by a helper of VeriSign SSL. The following year, it was the minting of a PayPal credential that continued to joke Internet Human, Chrome and Safari browsers many than two months after the underlying weakness was exposed.

In 2010, it was the story of a stem papers included in Mac OS X and Mozilla software that went unsolved for tetrad days until RSA Surety eventually supposed it fathered the orphan credential. This year, it was endure period's book that unacknowledged hackers bust into the servers of a reseller of Comodo, one of the grouping's most widely misused instrument authorities, and counterfeit documents for Google Post and different touchy websites.

It's difficult to intensify the reliance that websites operated by Google, PayPal, Microsoft, Deposit of U.S.A. and millions of separate companies locate in SSL. Still, its continuous failures imply the weakness in the system.

Though SSL's vulnerabilities are worrying, critics make reserved their most mordacious assessments for the mercantilism practices of VeriSign and the other so-called papers authorities, known as CAs. Once their base certificates are included in Internet Explorer, Firefox and other statesman browsers, they can't be separate without creating disruptions on large area of the net.

Mike Zusman - Sr. consultant at security firm Intrepidus Group, quotes, quotes-

“In terms of what the CAs do, it seems like it's a bit of the old west. It doesn't seem like anyone is holding them accountable, even when something as severe as the Comodo incident happens.”

Zusman knows around careless CA practices. In 2008, he applied for an Cheap SSL Certificate that would reserve him to acquit as the rightful manipulator of Microsoft's Living.com field, which is utilised to logon to Hotmail and different radiosensitive online services. In active two hours, VeriSign SSL Certificate underling Thawte issued the credential with almost no questions asked. Zusman's flatfish fittingness was his manipulate of the telecommunicate destination sslcertificates@live.com, which was sufficiency to persuade the automatic processes at Thawte that he was canonized to own the papers. In December of that year, a Comodo reseller issued similar no-questions-asked credentials for Mozilla.com to a separate investigator who had no association with the software group.

The reports of sloppily issued certificates continue to pile up. Recently, a forecaster from the Electronic Frontier Education plant that CA’s have issued more than 37,000 SSL credentials for so-called incompetent domains, such as "localhost," "exchange," and "exchange01". These are the prefixes that umpteen organizations supply to their domains and use to assign Microsoft workplace servers and other internal resources.

The Electronic Frontier Foundation's Chris Palmer says-

“Although signing 'localhost' is humorous, CA’s create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like 'mail' or 'webmail'? GoDaddy was the worst offender, but other CA’s been also guilty, said, who warned that the practice aids attackers targeting the mail servers and intranets of huge numbers of companies.”

In a truly Power Dominant Market, users can scorn actors with inconsistent road records. But that's not fermentable in the grouping of Cheap SSL Certificates. With prominent CAs responsible for validating millions of previously issued certificates, browser makers can't withdraw their number certificates from their software without breaking the sites that bought them.

As a result, virtually every browser continues to point unrestrained belief in Comodo, VeriSign and other CAs despite their vulnerabilities. They also pass certificates generated by the China Internet Network Information Center, which many squabble as not being trustworthy. Moreover, even Google, which has accused China of perpetrating a large hacking crusade against it and rafts of another companies, allows its Chrome browser to trust the credential.