9 Common Mistakes to Avoid While Installing an SSL Certificate
9 Common Mistakes to Avoid While Installing an SSL Certificate
Are you making these mistakes when installing your SSL certificate?
Join the DZone community and get the full member experience.Join For Free
Do you know who is accessing your valuable data through your APIs? Discover how
Attempting to Self-Sign Your Certificate
We’ll just come right out and say it — don’t sign your own certificate. Signing your own certificate means you’re authenticating yourself — you’re vouching for yourself. How trustworthy is that!? Have you ever asked someone a question about something they’ve said and they give a response like, “because I said so”—as if that should be proof enough for you? That’s what self-signing a certificate is like. Of course, you’re going to claim you’re legitimate. Who would admit they’re not? In turn, the browsers are going to look at your self-signed certificate with an air of suspicion, which will prompt them to warn your website’s visitors that, ‘hey, this site may not be trustworthy.’ This isn’t a trivial error, either. Browsers will show a full-page warning, preventing visitors from getting to your site without clicking through a dialogue telling them they are putting themselves at risk. And that’s bad for business.
Choosing the Wrong Certificate Authority
Don’t self-sign your certificate and don’t pick the wrong Certificate Authority (CA). This is true on two levels. First, you want to make sure that your CA is trusted, meaning that the browsers have authorized them to issue SSL certificates in the first place. Otherwise, you’re going to run into the same problems you’d have with a self-signed certificate where the browsers are going to warn your visitors about the trustworthiness of your website. The second level is that not all CA’s are created equal. You may want to go with the bargain bin CA to save money, and that’s fine, but the returns on your investment aren’t going to be the same as if you went with a well-recognized CA. Better CAs often package other security solutions with their certificates and also include more recognizable trust seals, which are proven to boost conversions and consumer confidence. So choose wisely.
Mistake on Your Certificate Signing Request
The certificate cannot be generated if the Certificate Signing Request (CSR) is done incorrectly. The CSR process will differ, depending on the software you use (or sometimes, you can use a third-party system to generate it). It’s absolutely vital that when you generate your CSR and take your time with the process because if you rush through it and make a mistake, you can really mess up the rest of the installation or, perhaps, not even get your certificate issued at all. That means both following the steps given by the software you’re using and also entering your information so that it is absolutely correct, and by absolutely correct, we mean so that all the details match the site you’re registering for, the company you’re registering for, etc. It’s also important that you verify the CSR in the initial stage of generation to make sure there are no errors present — lest you run into a major headache later on.
Ill-Prepared for the Validation Process
The Certificate Authority is going to need to vet you and your organization before they issue the certificate. For a Domain Validated certificate, this is as simple as having the correct WHOIS registry information and being able to respond to an email. However, for better certificates like Organization Validation and Extended Validation, you’ll need to furnish some information in order to satisfy all the requirements. A lot of times, a company or organization will make a mistake that prevents them from getting validated. It may be that your registration information is out of date and doesn’t reflect what you put down on your CSR. It could be that your company operates under a DBA and it’s not listed properly. It could be something as simple as your organization not having a publicly listed phone number. Regardless, you will need to make sure that all of your ducks are in a row before you go through authorization, or at best, there will be delays, at worst you won’t be issued a certificate at all.
Mistake With Your Private Key
When you generate your CSR, your computer also creates a file known as the Private Key. This key is vital, as it unlocks the encrypted communications being passed from your visitor’s web browsers to your web server. Without it, your certificate won’t work at all. So it goes without saying that the security of your private key is crucial. If you somehow lose it, you have to get the CA to reissue your certificate. And if it gets compromised, as in you accidentally share it with someone, your website is no longer secure and you have to get the CA to reissue your certificate. Don’t make it so you have to get the CA to reissue your certificate. Take care of your private key.
Don’t Follow the Guide
You know that male stereotype about how guys don’t like to ask for directions? Well, when it comes to installing SSL — don’t be THAT guy. Unless you’re an IT professional – in which case you wouldn’t be reading this article — chances are you don’t know your way around a server well enough to install SSL without a little bit of help. So follow the guide. It’s that simple. Most guides are fairly comprehensive and will give you step-by-step instructions — down to command lines — on how to properly install your SSL certificate, how to configure your server, etc. It’s all there. So why would you be headstrong and eschew that kind of direction in favor of trying to do it with nothing but a little grit and your best instincts? Got it? Good. Follow the guide.
Don’t Contact Support Following a Mistake
You may come to a point in the installation where it becomes obvious you have made a mistake. You are at a crossroads. You could either continue plowing forward, hoping you will somehow fix the problem and complete the installation without issue or you could pick up the phone or go online via chat and contact customer support. We know, you’ve ‘had bad experiences with customer support before.’ Nobody wants to go that route. But in this instance, you’d be crazy not to. Customer support can walk you through the steps you need to finish the installation or, in some cases, they may be able to install it for you themselves. Either one is definitely preferable to spending a few more hours trying to retrace your own steps, fix your mistakes, and finish the installation process by yourself. And think of a headache that comes along with that. If you get in a pinch, just call support. That’s what they’re there for.
Forgetting to Test After Installation
Usually, when you finish any task you want to test to make sure your work paid off, right? This could mean spinning a newly replaced bike tire or turning on a freshly rebuilt engine. Regardless, you need to be sure to test your work. Why would you go through all of the trouble of installing an SSL certificate and not make sure it’s working properly? So go ahead and check your website after finishing installation to make sure that your SSL certificate is working properly. Otherwise, you may think you’ve done your part and that you’ve secured your site and taken care of your customers, when, in fact, you’ve done none of that. You can conduct a basic test by trying to visit your site with the HTTPS protocol – just type “https://your-domain.com” into the address bar and look for the padlock (or Green Address Bar with EV Certificates) to know if it’s working properly. We know you’re probably anxious to get up and go get some fresh air after the mental gymnastics it took to install this thing, but follow this last step and see it all the way through.
SSL Checker Tool: https://comodosslstore.com/ssltools/ssl-checker.php
Forgetting Your Renewal Date
This is the last one, we promise. These SSL Certificates, the ones you’re installing, they don’t last forever. They typically have a lifespan of 1-2 years. This is because the CA’s need to continually authenticate your identity if they’re going to keep vouching for it. This means you have to renew them. Don’t forget that. You won’t be alone if you do forget; big companies like Apple, Google, and Yahoo have made the same mistake — but it will mean your site is temporarily unsecured, or maybe even inaccessible. Nobody wants that. So make sure to write down your expiration date in a place that you’ll remember it. If you do forget it, you can always open the certificate file to check on it again. Just make sure that when you start approaching that date, you make plans to renew. And try to give yourself a little bit of time. Don’t do it the day before. Just one more helpful tip from us! Hope this helps!
Published at DZone with permission of Sanjay B. . See the original article here.
Opinions expressed by DZone contributors are their own.