Since January 2017 Google Chrome and Mozilla Firefox browsers have started struggling actively for safety and security, warning users against the sites that are not using an encrypted connection. Starting from v. 51 of Firefox and v. 56 of Google Chrome, all sites using HTTP connection have been marked as unsecure. This measure has been taken to encourage webmasters to use HTTPS instead of HTTP. However, for the beginning, this measure primarily affects those sites that are using online forms, so in case the user is going to submit credit card details, enter account credentials like login and password, or submit any personal data, he will be warned that sensitive data will be processed through an unsecured channel. Moreover, according to Google, unsecure connection will affect webpage position in search engine ranking.
That is why switching from HTTP to HTTPS has become a priority update for many webmasters. The good news is that there are multiple opportunities to get free certificates, thus switching to a secure connection is just a matter of desire and responsibility. There is still an option to use a self-signed certificate for testing purposes.
What is the main difference between HTTP and HTTPS?
HTTPS (or HTTP Secure) provides the client and server with an encrypted channel, to pass sensitive data privately. Three main reasons to use HTTPS are as follows:
confidentiality: it protects communication between client and server. For instance, if the customer makes an online purchase through a Wi-Fi network on a webpage using HTTP, the WI-FI owner has access to all his private data including credit card details.
integrity: it guarantees that information will be passed as is, fully and without any changes. No third party can interfere and alter webpage content on its way from server to end-user.
authentication: it confirms that the webpage is real, no third party is able to fake a domain that the end-user is going to access. Some certificates even confirm the legal rights of the webpage owner, for instance, that yourbank.com domain belongs to YourBank, Inc.
To obtain and install HTTPS certificate please take the following actions:
- Create a pair of keys (a private and a public key) and prepare a Certificate Signing Request (CSR), which includes organization information and a public key.
- Contact certificate authority and request HTTPS certificate with CSR.
- Get a signed HTPPS certificate and install it on your server.
During this procedure you will be operating a set of files, namely: a secret and a public key, CSR and signed HTTPS certificate. Please note that different parties use different names and extensions for the same files. For instance, from two popular formats of data storage, DER (binary) and PEM (DER in base64 encoding), Windows would be using DER format and Linux/UNIX would be using PEM. There are also tools (OpenSSL) to convert files from one format to another.
Example:
- yourdomain.com.key is a file with a secret key (should be protected and available for super user only)
- yourdomain.com.pub is a public key file.
- yourdomain.com.csr is a Certificate Signing Request, which should be sent to the certificate authority
- yourdomain.com.crt (.cert or .cer) – HTTPS certificate provided by the certificate authority
There is no strictly required format for file names, you can choose file names at your convenience, important is to specify them correctly in server configuration files and commands during installation.
How to request and install HTTPS certificate in the Plesk panel.
Step 1 is to generate keys and CSR.
- Log in to Plesk.
- Go to Websites and Domains and select a domain you want to provide HTTPS for.
- Click Secure Your Sites option.
- Click Add SSL certificate button.
- It will redirect you to a page with a form where you need to fill out. Please pay attention to providing true and real information as it will be available for the public in your certificate. Please make sure that Domains field value should be an exact match of your domain name that you request a certificate for. When you are done, click Request.
- Clicking will email CSR to your email.
Step 2 is to purchase HTTPS certificate.
- Find HTTPS certificate seller.
- Select a type of certificate (DV, OV, EV, single domain, multiple domains, etc.) and pay for it.
- Activate a new certificate for your domain. For this, you will be asked to insert or upload the content of the CSR file.
- You will need to select a method for DCV (domain control validation), there are multiple methods so you will be provided with specific instructions in each particular case and you will need to follow them.
- Wait few minutes until the validation process is complete and download your certificate.
Step 3 is to install it on your server.
- In your Plesk panel go to Websites and Domains section and select a domain you want to install SSL for.
- Click Secure Your Sites section.
- In the list please find the record that was created while generating CSR and click to open.
- On the next page you will be asked to upload certificate files that have been provided to you by the certificate authority or paste them into text fields. Then submit the form.
- In Websites and Domains Section click Hosting Settings next to the desired domain and open Security section.
- There you will see a dropdown Certificate, please select your certificate there and save your changes.
You are done! In the end, please don’t forget to make sure that your domain is now available at http://yourdomain.com.