SSL certificates have become an essential security element of any website. Long gone are the days when only e-commerce stores and financial institutions were using them. Today, even a basic website requires a digital certificate so it can work properly and do well in a competitive niche.
According to Google, more than 80% of the Web is now encrypted. This is a remarkable boost from 50% in 2014, when Google launched the “HTTPS Everywhere” campaign. With chrome flagging outright the HTTP websites as “Not Secure” there aren’t any excuses left to ignore or delay the HTTPS transition.
Although the HTTPS encryption is in full flow and fast approaching the 90% mark, many encrypted websites remain vulnerable to cyber-threats because of substandard SSL implementation.
This article will reveal the best SSL management practices when installing a digital certificate on a website. With so many crucial aspects to cover, we’ll keep it concise but detailed. For most websites, doing the basics will suffice. Some more complex systems may require further optimizations. If this is your case, refer to this comprehensive documentation.
Best SSL management practices in 2019 – an overview
- Select a trustworthy Certificate Authority (CA)
- Generate the CSR (Certificate Signing Request) code and your private key
- Import and configure the SSL files on your server
- Optimize your new HTTPS site
- Test your SSL certificate for potential errors and vulnerabilities
- Follow the latest SSL industry news and web security threats
Select a trustworthy Certificate Authority (CA)
Anyone can issue an SSL certificate, but only a select few can sign a digital certificate trusted by 99% of browsers. Welcome to the world of Certificates Authorities, one of the most regulated entities in the Web security industry. A trustworthy CA complies to a set of strict requirements and is subject to regular audits. Since all Web browsers come pre-installed with the public keys of all the major Certificate Authorities, it’s fairly easy to spot a reliable CA from a fake one.
Among the most popular SSL providers, with years of experience in data encryption are Sectigo (formerly Comodo), GeoTrust, Thawte, RapidSSL, and Symantec. All these CAs offer a wider range of SSL products, including Extended Validation, Wildcard, and Multi-Domain certificates. With millions of customers worldwide, their technical support is first-class. You can contact one of their experts via email, phone, or live chat to quickly solve any issue.
Generate the CSR code and your private key
After you choose the SSL brand and product, your next step is to generate the mandatory Certificate Signing Request along with your private key. The CSR contains data about your website and company, and the Certificate Authority will use it to create a public key to match your private key.
The best way to generate a CSR code is on the server where you intend to install the certificate. We’ve written more than 50 guides on how to generate a CSR code on various platforms. Alternatively, you can use our CSR Generator tool to automatically create your CSR and private key.
It’s imperative to back up your private key and keep it safe. If you generate the CSR on your server, the private key will stay there. However, if you create your CSR via another program, you’ll have to import your private key manually into your system. Make sure you generate it on a secured and trusted computer. Here are a few essential aspects to consider when dealing with private keys:
- The optimal size of a private key is 2048-bit RSA or 256-bit ECDSA. Lower values are easier to crack, while larger keys don’t scale well and are slower. For most of the websites, 2048-bit RSA keys are the default choice.
- Never let a CA or a third-party entity to generate the private keys for you.
- If you feel that your private key is compromised, reissue your certificate ASAP
Import and configure the SSL files on your server
The best time to install your SSL certificate is during the development stages. Do it at least one week before your website goes live. This way, you’ll have enough time to address any potential errors and issues.
After your CA approves your certificate request, it will send the installation files in a ZIP archive. Download the folder on your device and extract its contents. A usual installation pack will contain your server and intermediate certificates. Ensure that your server supports the SSL certificate format and file extensions. Sometimes, you may have to convert your SSL files into another format.
Upload your certificates files as requested by your server. Pay close attention to your intermediate certificate as it provides browsers the full chain of trust and keeps your website secure on the older versions as well. If you don’t have an intermediate certificate, browsers will issue a security warning to your visitors. Other critical points to consider when configuring your certificate:
- Use the latest SSL/TLS protocols. TLS 1.2 is currently the standard version in use across the Web. The brand new, TLS 1.3 is also supported in the latest versions of popular browsers. Anything else than TLS 1.2 or TLS 1.3 is obsolete, deprecated or a thing of the past.
- Use secure AEAD Cipher Suites that offer at least 128-bit encryption, strong authentication, and key exchange. Avoid ADH (Anonymous Diffie-Hellman) suites as they don’t provide authentication, and stay away from NULL cipher suites since they offer no encryption.
- Enable Forward Secrecy to make sure that a compromised private key will not endanger previous key sessions.
- Use TLS Session Resumption to optimize performance by letting your server keep track of recent SSL/TLS sessions and reuse them.
Optimize your new HTTPS site
Installing an SSL certificate is a job half done. To complete the HTTPS transition, you need to adjust your website as well. One of the worst culprits of annoying SSL connection errors is mixed content. You should tackle it straightway after the SSL installation. Use this tool to scan your website for non-secure HTTP content and move all the unsecured images, files, and scripts to HTTPS. Check our 10-point SEO checklist for a successful HTTPS migration.
Finally, be careful when using third-party applications such as Plugins, Google Analytics or Java script code on your website. While most of them don’t pose a security risk, their popularity is a double-edged sword and a big target for hackers to explore. Avoid free website themes, outdated plugins, and any suspiciously looking apps.
Test your SSL certificate for potential errors and vulnerabilities
After you install the SSL certificate and optimize your site, it’s a good time to run a diagnostic scan and test your website for any potential SSL related errors and vulnerabilities. We’ve prepared for our readers a list of high-end SSL tools with instant reports and fixes.
Follow the latest SSL industry news and web security threats
While your SSL certificate works quietly in the background, you should keep an eye on the latest trends and developments in the SSL industry, so you don’t miss a major event. New, sophisticated cyber-threats can emerge out of nowhere, and you don’t want to be the last person learning about them.